Remove ClientAuthRequest

Author: praboud-ant

src/mcp/server/auth/handlers/token.py

@@ -15,29 +15,33 @@
 from mcp.server.auth.json_response import PydanticJSONResponse
 from mcp.server.auth.middleware.client_auth import (
     ClientAuthenticator,
-    ClientAuthRequest,
 )
 from mcp.server.auth.provider import OAuthServerProvider
 from mcp.shared.auth import OAuthToken
 
 
-class AuthorizationCodeRequest(ClientAuthRequest):
+class AuthorizationCodeRequest(BaseModel):
     # See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
     grant_type: Literal["authorization_code"]
     code: str = Field(..., description="The authorization code")
     redirect_uri: AnyHttpUrl | None = Field(
         ..., description="Must be the same as redirect URI provided in /authorize"
     )
     client_id: str
+    # we use the client_secret param, per https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
+    client_secret: str | None = None
     # See https://datatracker.ietf.org/doc/html/rfc7636#section-4.5
     code_verifier: str = Field(..., description="PKCE code verifier")
 
 
-class RefreshTokenRequest(ClientAuthRequest):
+class RefreshTokenRequest(BaseModel):
     # See https://datatracker.ietf.org/doc/html/rfc6749#section-6
     grant_type: Literal["refresh_token"]
     refresh_token: str = Field(..., description="The refresh token")
     scope: str | None = Field(None, description="Optional scope parameter")
+    client_id: str
+    # we use the client_secret param, per https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
+    client_secret: str | None = None
 
 
 class TokenRequest(RootModel):
@@ -103,7 +107,10 @@ async def handle(self, request: Request):
             )
 
         try:
-            client_info = await self.client_authenticator(token_request)
+            client_info = await self.client_authenticator.authenticate(
+                client_id=token_request.client_id,
+                client_secret=token_request.client_secret,
+            )
         except InvalidClientError as e:
             return self.response(e.error_response())
 

src/mcp/server/auth/middleware/client_auth.py

@@ -1,26 +1,16 @@
 import time
 
-from pydantic import BaseModel
-
 from mcp.server.auth.errors import InvalidClientError
 from mcp.server.auth.provider import OAuthRegisteredClientsStore
 from mcp.shared.auth import OAuthClientInformationFull
 
 
-class ClientAuthRequest(BaseModel):
-    # TODO: mix this directly into TokenRequest
-
-    client_id: str
-    client_secret: str | None = None
-
-
 class ClientAuthenticator:
     """
     ClientAuthenticator is a callable which validates requests from a client
-    application,
-    used to verify /token and /revoke calls.
+    application, used to verify /token calls.
     If, during registration, the client requested to be issued a secret, the
-    authenticator asserts that /token and /register calls must be authenticated with
+    authenticator asserts that /token calls must be authenticated with
     that same token.
     NOTE: clients can opt for no authentication during registration, in which case this
     logic is skipped.
@@ -35,19 +25,21 @@ def __init__(self, clients_store: OAuthRegisteredClientsStore):
         """
         self.clients_store = clients_store
 
-    async def __call__(self, request: ClientAuthRequest) -> OAuthClientInformationFull:
+    async def authenticate(
+        self, client_id: str, client_secret: str | None
+    ) -> OAuthClientInformationFull:
         # Look up client information
-        client = await self.clients_store.get_client(request.client_id)
+        client = await self.clients_store.get_client(client_id)
         if not client:
             raise InvalidClientError("Invalid client_id")
 
         # If client from the store expects a secret, validate that the request provides
         # that secret
         if client.client_secret:
-            if not request.client_secret:
+            if not client_secret:
                 raise InvalidClientError("Client secret is required")
 
-            if client.client_secret != request.client_secret:
+            if client.client_secret != client_secret:
                 raise InvalidClientError("Invalid client_secret")
 
             if (

src/mcp/server/auth/provider.py

@@ -1,9 +1,3 @@
-"""
-OAuth server provider interfaces for MCP authorization.
-
-Corresponds to TypeScript file: src/server/auth/provider.ts
-"""
-
 from typing import Literal, Protocol
 from urllib.parse import parse_qs, urlencode, urlparse, urlunparse
 
@@ -17,12 +11,6 @@
 
 
 class AuthorizationParams(BaseModel):
-    """
-    Parameters for the authorization flow.
-
-    Corresponds to AuthorizationParams in src/server/auth/provider.ts
-    """
-
     state: str | None = None
     scopes: list[str] | None = None
     code_challenge: str
@@ -46,12 +34,6 @@ class RefreshToken(BaseModel):
 
 
 class OAuthRegisteredClientsStore(Protocol):
-    """
-    Interface for storing and retrieving registered OAuth clients.
-
-    Corresponds to OAuthRegisteredClientsStore in src/server/auth/clients.ts
-    """
-
     async def get_client(self, client_id: str) -> OAuthClientInformationFull | None:
         """
         Retrieves client information by client ID.
@@ -66,7 +48,7 @@ async def get_client(self, client_id: str) -> OAuthClientInformationFull | None:
 
     async def register_client(self, client_info: OAuthClientInformationFull) -> None:
         """
-        Registers a new client
+        Saves client information as part of registering it.
 
         Args:
             client_info: The client metadata to register.
@@ -75,12 +57,6 @@ async def register_client(self, client_info: OAuthClientInformationFull) -> None
 
 
 class OAuthServerProvider(Protocol):
-    """
-    Implements an end-to-end OAuth server.
-
-    Corresponds to OAuthServerProvider in src/server/auth/provider.ts
-    """
-
     @property
     def clients_store(self) -> OAuthRegisteredClientsStore:
         """