modelcontextprotocol
diff --git a/‎CLAUDE.md‎
Lines changed: 5 additions & 5 deletions b/‎CLAUDE.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎pyproject.toml‎
Lines changed: 3 additions & 0 deletions b/‎pyproject.toml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/mcp/server/auth/handlers/authorize.py‎
Lines changed: 9 additions & 4 deletions b/‎src/mcp/server/auth/handlers/authorize.py‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎src/mcp/server/auth/handlers/metadata.py‎
Lines changed: 5 additions & 4 deletions b/‎src/mcp/server/auth/handlers/metadata.py‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎src/mcp/server/auth/handlers/register.py‎
Lines changed: 11 additions & 8 deletions b/‎src/mcp/server/auth/handlers/register.py‎
Lines changed: 11 additions & 8 deletions
diff --git a/‎src/mcp/server/auth/handlers/revoke.py‎
Lines changed: 16 additions & 10 deletions b/‎src/mcp/server/auth/handlers/revoke.py‎
Lines changed: 16 additions & 10 deletions
@@ -19,7 +19,7 @@ This document contains critical information about working with this codebase. Fo
    - Line length: 88 chars maximum
 
 3. Testing Requirements
-   - Framework: `uv run pytest`
+   - Framework: `uv run --frozen pytest`
    - Async testing: use anyio, not asyncio
    - Coverage: test edge cases and errors
    - New features require tests
@@ -54,9 +54,9 @@ This document contains critical information about working with this codebase. Fo
 ## Code Formatting
 
 1. Ruff
-   - Format: `uv run ruff format .`
-   - Check: `uv run ruff check .`
-   - Fix: `uv run ruff check . --fix`
+   - Format: `uv run --frozen ruff format .`
+   - Check: `uv run --frozen ruff check .`
+   - Fix: `uv run --frozen ruff check . --fix`
    - Critical issues:
      - Line length (88 chars)
      - Import sorting (I001)
@@ -67,7 +67,7 @@ This document contains critical information about working with this codebase. Fo
      - Imports: split into multiple lines
 
 2. Type Checking
-   - Tool: `uv run pyright`
+   - Tool: `uv run --frozen pyright`
    - Requirements:
      - Explicit None checks for Optional
      - Type narrowing for strings
 
@@ -67,6 +67,9 @@ include = ["src/mcp", "tests"]
 venvPath = "."
 venv = ".venv"
 
+[tool.pytest.ini_options]
+markers = ["anyio"]
+
 [tool.ruff.lint]
 select = ["E", "F", "I"]
 ignore = []
 
@@ -9,10 +9,10 @@
 from typing import Any, Callable, Dict, List, Literal, Optional
 from urllib.parse import urlencode, parse_qs
 
-from fastapi import Request, Response
+from starlette.requests import Request
+from starlette.responses import JSONResponse, RedirectResponse, Response
 from pydantic import AnyHttpUrl, AnyUrl, BaseModel, Field, ValidationError
 from pydantic_core import Url
-from starlette.responses import JSONResponse, RedirectResponse
 
 from mcp.server.auth.errors import (
     InvalidClientError, 
@@ -81,9 +81,14 @@ async def authorization_handler(request: Request) -> Response:
         # Validate request parameters
         try:
             if request.method == "GET":
-                auth_request = AuthorizationRequest.model_validate(request.query_params)
+                # Convert query_params to dict for pydantic validation
+                params = dict(request.query_params)
+                auth_request = AuthorizationRequest.model_validate(params)
             else:
-                auth_request = AuthorizationRequest.model_validate_json(await request.body())
+                # Parse form data for POST requests
+                form_data = await request.form()
+                params = dict(form_data)
+                auth_request = AuthorizationRequest.model_validate(params)
         except ValidationError as e:
             raise InvalidRequestError(str(e))
 
 
@@ -5,8 +5,9 @@
 """
 
 from typing import Any, Callable, Dict, Optional
-from fastapi import Request, Response
-from starlette.responses import JSONResponse
+
+from starlette.requests import Request
+from starlette.responses import JSONResponse, Response
 
 
 def create_metadata_handler(metadata: Dict[str, Any]) -> Callable:
@@ -19,15 +20,15 @@ def create_metadata_handler(metadata: Dict[str, Any]) -> Callable:
         metadata: The metadata to return in the response
         
     Returns:
-        A FastAPI route handler function
+        A Starlette endpoint handler function
     """
 
     async def metadata_handler(request: Request) -> Response:
         """
         Handler for the OAuth 2.0 Authorization Server Metadata endpoint.
         
         Args:
-            request: The FastAPI request
+            request: The Starlette request
             
         Returns:
             JSON response with the authorization server metadata
 
@@ -10,15 +10,16 @@
 from typing import Any, Callable, Dict, List, Optional
 from uuid import uuid4
 
-from fastapi import Request, Response
+from starlette.requests import Request
+from starlette.responses import JSONResponse, Response
 from pydantic import ValidationError
-from starlette.responses import JSONResponse
 
 from mcp.server.auth.errors import (
     InvalidRequestError,
     ServerError,
     OAuthError,
 )
+from mcp.server.auth.json_response import PydanticJSONResponse
 from mcp.server.auth.provider import OAuthRegisteredClientsStore
 from mcp.shared.auth import OAuthClientInformationFull, OAuthClientMetadata
 
@@ -31,25 +32,27 @@ def create_registration_handler(clients_store: OAuthRegisteredClientsStore, clie
     
     Args:
         clients_store: The store for registered clients
+        client_secret_expiry_seconds: Optional expiry time for client secrets
         
     Returns:
-        A FastAPI route handler function
+        A Starlette endpoint handler function
     """
 
     async def registration_handler(request: Request) -> Response:
         """
         Handler for the OAuth 2.0 Dynamic Client Registration endpoint.
         
         Args:
-            request: The FastAPI request
+            request: The Starlette request
             
         Returns:
             JSON response with client information or error
         """
         try:
-            # Validate client metadata
+            # Parse request body as JSON
             try:
-                client_metadata = OAuthClientMetadata.model_validate_json(await request.body())
+                body = await request.json()
+                client_metadata = OAuthClientMetadata.model_validate(body)
             except ValidationError as e:
                 raise InvalidRequestError(f"Invalid client metadata: {str(e)}")
 
@@ -90,8 +93,8 @@ async def registration_handler(request: Request) -> Response:
                 raise ServerError("Failed to register client")
 
             # Return client information
-            return JSONResponse(
-                content=client.model_dump(exclude_none=True),
+            return PydanticJSONResponse(
+                content=client,
                 status_code=201
             )
 
 
@@ -6,20 +6,24 @@
 
 from typing import Any, Callable, Dict, Optional
 
-from fastapi import Request, Response
+from starlette.requests import Request
+from starlette.responses import Response
 from pydantic import ValidationError
-from starlette.responses import JSONResponse, Response as StarletteResponse
 
 from mcp.server.auth.errors import (
     InvalidRequestError,
     ServerError,
     OAuthError,
 )
+from mcp.server.auth.middleware import client_auth
 from mcp.server.auth.provider import OAuthServerProvider
 from mcp.shared.auth import OAuthClientInformationFull, OAuthTokenRevocationRequest
+from mcp.server.auth.middleware.client_auth import ClientAuthRequest, ClientAuthenticator
 
+class RevocationRequest(OAuthTokenRevocationRequest, ClientAuthRequest):
+    pass
 
-def create_revocation_handler(provider: OAuthServerProvider) -> Callable:
+def create_revocation_handler(provider: OAuthServerProvider, client_authenticator: ClientAuthenticator) -> Callable:
     """
     Create a handler for OAuth 2.0 Token Revocation.
     
@@ -29,25 +33,27 @@ def create_revocation_handler(provider: OAuthServerProvider) -> Callable:
         provider: The OAuth server provider
         
     Returns:
-        A FastAPI route handler function
+        A Starlette endpoint handler function
     """
 
-    async def revocation_handler(request: Request, client_auth: OAuthClientInformationFull) -> Response:
+    async def revocation_handler(request: Request) -> Response:
         """
         Handler for the OAuth 2.0 Token Revocation endpoint.
         """
-        # Validate revocation request
         try:
-            revocation_request = OAuthTokenRevocationRequest.model_validate_json(await request.body())
+            revocation_request = RevocationRequest.model_validate_json(await request.body())
         except ValidationError as e:
-            raise InvalidRequestError(str(e))
+            raise InvalidRequestError(f"Invalid request body: {e}")
+        
+        # Authenticate client
+        client_auth_result = await client_authenticator(revocation_request)
 
         # Revoke token
         if provider.revoke_token:
-            await provider.revoke_token(client_auth, revocation_request)
+            await provider.revoke_token(client_auth_result, revocation_request)
 
         # Return successful empty response
-        return StarletteResponse(
+        return Response(
             status_code=200,
             headers={
                 "Cache-Control": "no-store",