Merge branch 'main' into main

Author: SoldierSacha

.github/CODEOWNERS

@@ -0,0 +1,23 @@
+# CODEOWNERS for MCP Python SDK
+# See https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# Default maintainers for everything
+* @modelcontextprotocol/python-sdk-maintainers
+
+# Auth-related code requires additional review from auth team
+/src/mcp/client/auth.py @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
+/src/mcp/server/auth/ @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
+/src/mcp/server/transport_security.py @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
+/src/mcp/shared/auth*.py @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
+
+# Auth-related tests
+/tests/client/test_auth.py @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
+/tests/server/auth/ @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
+/tests/server/test_*security.py @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
+/tests/server/fastmcp/auth/ @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
+/tests/shared/test_auth*.py @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
+
+# Auth-related examples
+/examples/clients/simple-auth-client/ @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
+/examples/snippets/clients/oauth_client.py @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers
+/examples/snippets/servers/oauth_server.py @modelcontextprotocol/python-sdk-auth @modelcontextprotocol/python-sdk-maintainers

src/mcp/client/auth.py

@@ -517,16 +517,16 @@ async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.
                     # Step 2: Discover OAuth metadata (with fallback for legacy servers)
                     discovery_urls = self._get_discovery_urls()
                     for url in discovery_urls:
-                        request = self._create_oauth_metadata_request(url)
-                        response = yield request
+                        oauth_metadata_request = self._create_oauth_metadata_request(url)
+                        oauth_metadata_response = yield oauth_metadata_request
 
-                        if response.status_code == 200:
+                        if oauth_metadata_response.status_code == 200:
                             try:
-                                await self._handle_oauth_metadata_response(response)
+                                await self._handle_oauth_metadata_response(oauth_metadata_response)
                                 break
                             except ValidationError:
                                 continue
-                        elif response.status_code != 404:
+                        elif oauth_metadata_response.status_code != 404:
                             break  # Non-404 error, stop trying
 
                     # Step 3: Register client if needed

src/mcp/server/streamable_http_manager.py

@@ -4,7 +4,6 @@
 
 import contextlib
 import logging
-import threading
 from collections.abc import AsyncIterator
 from http import HTTPStatus
 from typing import Any
@@ -75,7 +74,7 @@ def __init__(
         # The task group will be set during lifespan
         self._task_group = None
         # Thread-safe tracking of run() calls
-        self._run_lock = threading.Lock()
+        self._run_lock = anyio.Lock()
         self._has_started = False
 
     @contextlib.asynccontextmanager
@@ -97,7 +96,7 @@ async def lifespan(app: Starlette) -> AsyncIterator[None]:
                 yield
         """
         # Thread-safe check to ensure run() is only called once
-        with self._run_lock:
+        async with self._run_lock:
             if self._has_started:
                 raise RuntimeError(
                     "StreamableHTTPSessionManager .run() can only be called "

src/mcp/types.py

@@ -36,7 +36,7 @@
 ProgressToken = str | int
 Cursor = str
 Role = Literal["user", "assistant"]
-RequestId = Annotated[int | str, Field(union_mode="left_to_right")]
+RequestId = Annotated[int, Field(strict=True)] | str
 AnyFunction: TypeAlias = Callable[..., Any]
 
 
@@ -849,7 +849,7 @@ class Tool(BaseMetadata):
     """A JSON Schema object defining the expected parameters for the tool."""
     outputSchema: dict[str, Any] | None = None
     """
-    An optional JSON Schema object defining the structure of the tool's output 
+    An optional JSON Schema object defining the structure of the tool's output
     returned in the structuredContent field of a CallToolResult.
     """
     annotations: ToolAnnotations | None = None

tests/client/test_auth.py

@@ -343,7 +343,7 @@ async def test_handle_metadata_response_success(self, oauth_provider):
         # Create minimal valid OAuth metadata
         content = b"""{
             "issuer": "https://auth.example.com",
-            "authorization_endpoint": "https://auth.example.com/authorize", 
+            "authorization_endpoint": "https://auth.example.com/authorize",
             "token_endpoint": "https://auth.example.com/token"
         }"""
         response = httpx.Response(200, content=content)
@@ -572,6 +572,105 @@ async def test_auth_flow_with_valid_tokens(self, oauth_provider, mock_storage, v
         except StopAsyncIteration:
             pass  # Expected
 
+    @pytest.mark.anyio
+    async def test_auth_flow_with_no_tokens(self, oauth_provider, mock_storage):
+        """Test auth flow when no tokens are available, triggering the full OAuth flow."""
+        # Ensure no tokens are stored
+        oauth_provider.context.current_tokens = None
+        oauth_provider.context.token_expiry_time = None
+        oauth_provider._initialized = True
+
+        # Create a test request
+        test_request = httpx.Request("GET", "https://api.example.com/mcp")
+
+        # Mock the auth flow
+        auth_flow = oauth_provider.async_auth_flow(test_request)
+
+        # First request should be the original request without auth header
+        request = await auth_flow.__anext__()
+        assert "Authorization" not in request.headers
+
+        # Send a 401 response to trigger the OAuth flow
+        response = httpx.Response(
+            401,
+            headers={
+                "WWW-Authenticate": 'Bearer resource_metadata="https://api.example.com/.well-known/oauth-protected-resource"'
+            },
+            request=test_request,
+        )
+
+        # Next request should be to discover protected resource metadata
+        discovery_request = await auth_flow.asend(response)
+        assert discovery_request.method == "GET"
+        assert str(discovery_request.url) == "https://api.example.com/.well-known/oauth-protected-resource"
+
+        # Send a successful discovery response with minimal protected resource metadata
+        discovery_response = httpx.Response(
+            200,
+            content=b'{"resource": "https://api.example.com/mcp", "authorization_servers": ["https://auth.example.com"]}',
+            request=discovery_request,
+        )
+
+        # Next request should be to discover OAuth metadata
+        oauth_metadata_request = await auth_flow.asend(discovery_response)
+        assert oauth_metadata_request.method == "GET"
+        assert str(oauth_metadata_request.url).startswith("https://auth.example.com/")
+        assert "mcp-protocol-version" in oauth_metadata_request.headers
+
+        # Send a successful OAuth metadata response
+        oauth_metadata_response = httpx.Response(
+            200,
+            content=(
+                b'{"issuer": "https://auth.example.com", '
+                b'"authorization_endpoint": "https://auth.example.com/authorize", '
+                b'"token_endpoint": "https://auth.example.com/token", '
+                b'"registration_endpoint": "https://auth.example.com/register"}'
+            ),
+            request=oauth_metadata_request,
+        )
+
+        # Next request should be to register client
+        registration_request = await auth_flow.asend(oauth_metadata_response)
+        assert registration_request.method == "POST"
+        assert str(registration_request.url) == "https://auth.example.com/register"
+
+        # Send a successful registration response
+        registration_response = httpx.Response(
+            201,
+            content=b'{"client_id": "test_client_id", "client_secret": "test_client_secret", "redirect_uris": ["http://localhost:3030/callback"]}',
+            request=registration_request,
+        )
+
+        # Mock the authorization process
+        oauth_provider._perform_authorization = mock.AsyncMock(return_value=("test_auth_code", "test_code_verifier"))
+
+        # Next request should be to exchange token
+        token_request = await auth_flow.asend(registration_response)
+        assert token_request.method == "POST"
+        assert str(token_request.url) == "https://auth.example.com/token"
+        assert "code=test_auth_code" in token_request.content.decode()
+
+        # Send a successful token response
+        token_response = httpx.Response(
+            200,
+            content=(
+                b'{"access_token": "new_access_token", "token_type": "Bearer", "expires_in": 3600, '
+                b'"refresh_token": "new_refresh_token"}'
+            ),
+            request=token_request,
+        )
+
+        # Final request should be the original request with auth header
+        final_request = await auth_flow.asend(token_response)
+        assert final_request.headers["Authorization"] == "Bearer new_access_token"
+        assert final_request.method == "GET"
+        assert str(final_request.url) == "https://api.example.com/mcp"
+
+        # Verify tokens were stored
+        assert oauth_provider.context.current_tokens is not None
+        assert oauth_provider.context.current_tokens.access_token == "new_access_token"
+        assert oauth_provider.context.token_expiry_time is not None
+
 
 class TestClientCredentialsProvider:
     @pytest.mark.anyio

tests/issues/test_88_random_error.py

@@ -28,8 +28,7 @@ async def test_notification_validation_error(tmp_path: Path):
 
     server = Server(name="test")
     request_count = 0
-    slow_request_started = anyio.Event()
-    slow_request_complete = anyio.Event()
+    slow_request_lock = anyio.Event()
 
     @server.list_tools()
     async def list_tools() -> list[types.Tool]:
@@ -52,16 +51,9 @@ async def slow_tool(name: str, arg) -> Sequence[ContentBlock]:
         request_count += 1
 
         if name == "slow":
-            # Signal that slow request has started
-            slow_request_started.set()
-            # Long enough to ensure timeout
-            await anyio.sleep(0.2)
-            # Signal completion
-            slow_request_complete.set()
+            await slow_request_lock.wait()  # it should timeout here
             return [TextContent(type="text", text=f"slow {request_count}")]
         elif name == "fast":
-            # Fast enough to complete before timeout
-            await anyio.sleep(0.01)
             return [TextContent(type="text", text=f"fast {request_count}")]
         return [TextContent(type="text", text=f"unknown {request_count}")]
 
@@ -95,16 +87,15 @@ async def client(read_stream, write_stream, scope):
             # First call should work (fast operation)
             result = await session.call_tool("fast")
             assert result.content == [TextContent(type="text", text="fast 1")]
-            assert not slow_request_complete.is_set()
+            assert not slow_request_lock.is_set()
 
             # Second call should timeout (slow operation)
             with pytest.raises(McpError) as exc_info:
                 await session.call_tool("slow")
             assert "Timed out while waiting" in str(exc_info.value)
 
-            # Wait for slow request to complete in the background
-            with anyio.fail_after(1):  # Timeout after 1 second
-                await slow_request_complete.wait()
+            # release the slow request not to have hanging process
+            slow_request_lock.set()
 
             # Third call should work (fast operation),
             # proving server is still responsive

tests/shared/test_sse.py

@@ -466,12 +466,21 @@ async def test_request_context_isolation(context_server: None, server_url: str)
 
 
 def test_sse_message_id_coercion():
-    """Test that string message IDs that look like integers are parsed as integers.
+    """Previously, the `RequestId` would coerce a string that looked like an integer into an integer.
 
     See <https://github.com/modelcontextprotocol/python-sdk/pull/851> for more details.
+
+    As per the JSON-RPC 2.0 specification, the id in the response object needs to be the same type as the id in the
+    request object. In other words, we can't perform the coercion.
+
+    See <https://www.jsonrpc.org/specification#response_object> for more details.
     """
     json_message = '{"jsonrpc": "2.0", "id": "123", "method": "ping", "params": null}'
     msg = types.JSONRPCMessage.model_validate_json(json_message)
+    assert msg == snapshot(types.JSONRPCMessage(root=types.JSONRPCRequest(method="ping", jsonrpc="2.0", id="123")))
+
+    json_message = '{"jsonrpc": "2.0", "id": 123, "method": "ping", "params": null}'
+    msg = types.JSONRPCMessage.model_validate_json(json_message)
     assert msg == snapshot(types.JSONRPCMessage(root=types.JSONRPCRequest(method="ping", jsonrpc="2.0", id=123)))