Clean up registration endpoint

praboud-ant · dsp-ant · commit 3968f864b042 · 2025-03-13T14:19:55.000Z
diff --git a/src/mcp/server/auth/handlers/authorize.py b/src/mcp/server/auth/handlers/authorize.py
@@ -21,12 +21,6 @@
 
 
 class AuthorizationRequest(BaseModel):
-    """
-    Model for the authorization request parameters.
-
-    Corresponds to request schema in authorizationHandler in src/server/auth/handlers/authorize.ts
-    """
-
     client_id: str = Field(..., description="The client ID")
     redirect_uri: AnyHttpUrl | None = Field(
         ..., description="URL to redirect to after authorization"
@@ -42,7 +36,8 @@ class AuthorizationRequest(BaseModel):
     state: Optional[str] = Field(None, description="Optional state parameter")
     scope: Optional[str] = Field(
         None,
-        description="Optional scope; if specified, should be a space-separated list of scope strings",
+        description="Optional scope; if specified, should be " \
+            "a space-separated list of scope strings",
     )
 
     class Config:
diff --git a/src/mcp/server/auth/handlers/token.py b/src/mcp/server/auth/handlers/token.py
@@ -24,24 +24,13 @@
 
 
 class AuthorizationCodeRequest(ClientAuthRequest):
-    """
-    Model for the authorization code grant request parameters.
-
-    Corresponds to AuthorizationCodeExchangeSchema in src/server/auth/handlers/token.ts
-    """
-
     grant_type: Literal["authorization_code"]
     code: str = Field(..., description="The authorization code")
     code_verifier: str = Field(..., description="PKCE code verifier")
+    # TODO: this should take redirect_uri
 
 
 class RefreshTokenRequest(ClientAuthRequest):
-    """
-    Model for the refresh token grant request parameters.
-
-    Corresponds to RefreshTokenExchangeSchema in src/server/auth/handlers/token.ts
-    """
-
     grant_type: Literal["refresh_token"]
     refresh_token: str = Field(..., description="The refresh token")
     scope: Optional[str] = Field(None, description="Optional scope parameter")
@@ -54,48 +43,25 @@ class TokenRequest(RootModel):
     ]
 
 
-# TokenRequest = RootModel(Annotated[Union[AuthorizationCodeRequest, RefreshTokenRequest], Field(discriminator="grant_type")])
-
 
 def create_token_handler(
     provider: OAuthServerProvider, client_authenticator: ClientAuthenticator
 ) -> Callable:
-    """
-    Create a handler for the OAuth 2.0 Token endpoint.
-
-    Corresponds to tokenHandler in src/server/auth/handlers/token.ts
-
-    Args:
-        provider: The OAuth server provider
-
-    Returns:
-        A Starlette endpoint handler function
-    """
-
     async def token_handler(request: Request):
-        """
-        Handler for the OAuth 2.0 Token endpoint.
-
-        Args:
-            request: The Starlette request
-
-        Returns:
-            JSON response with tokens or error
-        """
-        # Parse request body as form data or JSON
-        content_type = request.headers.get("Content-Type", "")
-
         try:
             token_request = TokenRequest.model_validate_json(await request.body()).root
         except ValidationError as e:
             raise InvalidRequestError(f"Invalid request body: {e}")
         client_info = await client_authenticator(token_request)
 
+        if token_request.grant_type not in client_info.grant_types:
+            raise InvalidRequestError(f"Unsupported grant type (supported grant types are {client_info.grant_types})")
+
         tokens: OAuthTokens
 
         match token_request:
             case AuthorizationCodeRequest():
-                # TODO: verify that the redirect URIs match; does the client actually provide this?
+                # TODO: verify that the redirect URIs match
                 # see https://datatracker.ietf.org/doc/html/rfc6749#section-10.6
                 # TODO: enforce TTL on the authorization code
 
diff --git a/src/mcp/server/auth/middleware/client_auth.py b/src/mcp/server/auth/middleware/client_auth.py
@@ -31,13 +31,13 @@ class ClientAuthRequest(BaseModel):
 
 class ClientAuthenticator:
     """
-    Dependency that authenticates a client using client_id and client_secret.
-
-    This is a callable that can be used to validate client credentials in a request.
-
-    Corresponds to authenticateClient in src/server/auth/middleware/clientAuth.ts
+    ClientAuthenticator is a callable which validates requests from a client application,
+    used to verify /token and /revoke calls.
+    If, during registration, the client requested to be issued a secret, the authenticator
+    asserts that /token and /register calls must be authenticated with that same token.
+    NOTE: clients can opt for no authentication during registration, in which case this logic
+    is skipped.
     """
-
     def __init__(self, clients_store: OAuthRegisteredClientsStore):
         """
         Initialize the dependency.
diff --git a/src/mcp/shared/auth.py b/src/mcp/shared/auth.py
@@ -4,7 +4,7 @@
 Corresponds to TypeScript file: src/shared/auth.ts
 """
 
-from typing import Any, List, Optional
+from typing import Any, List, Literal, Optional
 
 from pydantic import AnyHttpUrl, BaseModel, Field
 
@@ -38,18 +38,24 @@ class OAuthTokens(BaseModel):
 class OAuthClientMetadata(BaseModel):
     """
     RFC 7591 OAuth 2.0 Dynamic Client Registration metadata.
-
-    Corresponds to OAuthClientMetadataSchema in src/shared/auth.ts
+    See https://datatracker.ietf.org/doc/html/rfc7591#section-2
+    for the full specification.
     """
 
     redirect_uris: List[AnyHttpUrl] = Field(..., min_length=1)
-    token_endpoint_auth_method: Optional[str] = None
-    grant_types: Optional[List[str]] = None
-    response_types: Optional[List[str]] = None
+    # token_endpoint_auth_method: this implementation only supports none & client_secret_basic;
+    # ie: we do not support client_secret_post
+    token_endpoint_auth_method: Literal["none", "client_secret_basic"] = "client_secret_basic"
+    # grant_types: this implementation only supports authorization_code & refresh_token
+    grant_types: List[Literal["authorization_code", "refresh_token"]] = ["authorization_code"]
+    # this implementation only supports code; ie: it does not support implicit grants
+    response_types: List[Literal["code"]] = ["code"]
+    scope: Optional[str] = None
+
+    # these fields are currently unused, but we support & store them for potential future use
     client_name: Optional[str] = None
     client_uri: Optional[AnyHttpUrl] = None
     logo_uri: Optional[AnyHttpUrl] = None
-    scope: Optional[str] = None
     contacts: Optional[List[str]] = None
     tos_uri: Optional[AnyHttpUrl] = None
     policy_uri: Optional[AnyHttpUrl] = None
diff --git a/tests/server/fastmcp/auth/test_auth_integration.py b/tests/server/fastmcp/auth/test_auth_integration.py
@@ -335,6 +335,7 @@ async def test_authorization_flow(
         client_metadata = {
             "redirect_uris": ["https://client.example.com/callback"],
             "client_name": "Test Client",
+            "grant_types": ["authorization_code", "refresh_token"]
         }
 
         response = await test_client.post(

Original file line number	Diff line number	Diff line change
`@@ -335,6 +335,7 @@ async def test_authorization_flow(`
`335`	`335`	`client_metadata = {`
`336`	`336`	`"redirect_uris": ["https://client.example.com/callback"],`
`337`	`337`	`"client_name": "Test Client",`
	`338`	`+ "grant_types": ["authorization_code", "refresh_token"]`
`338`	`339`	`}`
`339`	`340`
`340`	`341`	`response = await test_client.post(`