Add test for protected resources through .well-known/oauth-protected-resource checking

yannj-fr · yannj-fr · commit 32151a645c9e · 2025-08-06T10:34:31.000+02:00
diff --git a/tests/server/fastmcp/auth/test_auth_integration.py b/tests/server/fastmcp/auth/test_auth_integration.py
@@ -26,6 +26,7 @@
     ClientRegistrationOptions,
     RevocationOptions,
     create_auth_routes,
+    create_protected_resource_routes,
 )
 from mcp.shared.auth import (
     OAuthClientInformationFull,
@@ -216,6 +217,25 @@ def auth_app(mock_oauth_provider):
     return app
 
 
+@pytest.fixture
+def protected_resource_app(auth_app):
+    """Fixture to create protected resource routes for testing."""
+
+    print(auth_app.router.routes)
+    # Create the protected resource routes
+    protected_resource_routes = create_protected_resource_routes(
+        resource_url=AnyHttpUrl("https://example.com/resource"),
+        authorization_servers=[AnyHttpUrl("https://auth.example.com/authorization")],
+        scopes_supported=["read", "write"],
+        resource_name="Example Resource",
+        resource_documentation=AnyHttpUrl("https://docs.example.com/resource"),
+    )
+
+    # add routes to the auth app
+    auth_app.router.routes.extend(protected_resource_routes)
+    return auth_app
+
+
 @pytest.fixture
 async def test_client(auth_app):
     async with httpx.AsyncClient(transport=httpx.ASGITransport(app=auth_app), base_url="https://mcptest.com") as client:
@@ -1201,3 +1221,26 @@ async def test_authorize_invalid_scope(self, test_client: httpx.AsyncClient, reg
         # State should be preserved
         assert "state" in query_params
         assert query_params["state"][0] == "test_state"
+
+
+class TestProtectedResourceMetadata:
+    """Test the Protected Resource Metadata model."""
+
+    @pytest.mark.anyio
+    async def test_metadata_endpoint(self, protected_resource_app: Starlette, test_client: httpx.AsyncClient):
+        """Test the OAuth 2.0 Protected Resource metadata endpoint."""
+        print("Sending request to protected resource metadata endpoint")
+        response = await test_client.get("/.well-known/oauth-protected-resource")
+        print(f"Got response: {response.status_code}")
+        if response.status_code != 200:
+            print(f"Response content: {response.content}")
+        assert response.status_code == 200
+
+        metadata = response.json()
+        print(f"Protected Resource Metadata: {metadata}")
+        assert metadata["resource"] == "https://example.com/resource"
+        assert metadata["authorization_servers"] == ["https://auth.example.com/authorization"]
+        assert metadata["scopes_supported"] == ["read", "write"]
+        assert metadata["resource_name"] == "Example Resource"
+        assert metadata["resource_documentation"] == "https://docs.example.com/resource"
+        assert metadata["bearer_methods_supported"] == ["header"]
diff --git a/tests/shared/test_auth.py b/tests/shared/test_auth.py
@@ -1,6 +1,7 @@
 """Tests for OAuth 2.0 shared code."""
 
 import pytest
+
 from mcp.shared.auth import OAuthMetadata, ProtectedResourceMetadata
 
 
