initial commit

Author: ihrpr

README.md

@@ -796,6 +796,86 @@ async def main():
             tool_result = await session.call_tool("echo", {"message": "hello"})
 ```
 
+### OAuth Authentication for Clients
+
+The SDK supports OAuth 2.0 client authentication for secure access to MCP servers that require authentication:
+
+```python
+from mcp.client.auth import OAuthClientProvider, UnauthorizedError
+from mcp.client.oauth_providers import InMemoryOAuthProvider
+from mcp.client.streamable_http import streamablehttp_client
+from mcp.shared.auth import OAuthClientMetadata
+from mcp import ClientSession
+
+# Create an OAuth provider
+oauth_provider = InMemoryOAuthProvider(
+    redirect_url="http://localhost:8080/callback",
+    client_metadata=OAuthClientMetadata(
+        redirect_uris=["http://localhost:8080/callback"],
+        client_name="My MCP Client",
+        scope="tools resources",  # Request specific scopes
+    ),
+)
+
+async def main():
+    # Connect with OAuth authentication
+    async with streamablehttp_client(
+        "https://example.com/mcp",
+        auth_provider=oauth_provider,
+    ) as (read_stream, write_stream, _):
+        # Create a session
+        async with ClientSession(read_stream, write_stream) as session:
+            # Initialize (this may trigger OAuth flow)
+            try:
+                await session.initialize()
+                # Use authenticated session
+                result = await session.call_tool("protected_tool", {"arg": "value"})
+            except UnauthorizedError:
+                # Handle authorization required
+                print("Authorization required. Check your browser.")
+
+# Handle OAuth callback after user authorization
+async def handle_callback(authorization_code: str):
+    from mcp.client.streamable_http import StreamableHTTPTransport
+    
+    # Create a transport instance to handle auth completion
+    transport = StreamableHTTPTransport(
+        url="https://example.com/mcp",
+        auth_provider=oauth_provider,
+    )
+    
+    # Exchange authorization code for tokens
+    await transport.finish_auth(authorization_code)
+    print("Authorization successful!")
+```
+
+#### Custom OAuth Providers
+
+You can implement custom OAuth storage by creating your own provider:
+
+```python
+from mcp.client.oauth_providers import InMemoryOAuthProvider
+
+class DatabaseOAuthProvider(InMemoryOAuthProvider):
+    async def save_tokens(self, tokens):
+        # Save to database
+        await db.save_tokens(self.client_id, tokens)
+    
+    async def tokens(self):
+        # Load from database
+        return await db.load_tokens(self.client_id)
+    
+    # Implement other methods as needed...
+```
+
+The OAuth client implementation supports:
+
+- Dynamic client registration
+- Authorization code flow with PKCE
+- Token refresh
+- Multiple storage providers (in-memory and file-based included)
+- Automatic token management and retry logic
+
 ### MCP Primitives
 
 The MCP protocol defines three core primitives that servers can implement:

examples/clients/simple-auth-client/README.md

@@ -0,0 +1,152 @@
+# Simple OAuth Client Example
+
+This example demonstrates how to create an MCP client that connects to an OAuth-protected server using the Python SDK's OAuth client support.
+
+## Overview
+
+This client connects to the [simple-auth server](../../servers/simple-auth/) and demonstrates:
+- OAuth 2.0 client authentication with PKCE
+- Token storage and management
+- Handling the OAuth authorization flow
+- Making authenticated requests to protected tools
+
+## Prerequisites
+
+1. **Set up the simple-auth server first**:
+   - Follow the instructions in [../../servers/simple-auth/README.md](../../servers/simple-auth/README.md)
+   - Make sure the server is running on `http://localhost:8000`
+
+2. **Create a GitHub OAuth App** (if not done already):
+   - Go to GitHub Settings > Developer settings > OAuth Apps > New OAuth App
+   - Application name: "Simple MCP Auth Demo"
+   - Homepage URL: `http://localhost:8000`
+   - Authorization callback URL: `http://localhost:8080/callback`
+   - Note: The client uses port 8080 for its callback, while the server uses 8000
+
+## Installation
+
+```bash
+# Install dependencies with uv
+uv install
+
+# Or install in development mode with dev dependencies
+uv install --dev
+```
+
+## Running the Client
+
+```bash
+# Basic usage - will start OAuth flow if not authenticated
+uv run mcp-simple-auth-client
+
+# Specify custom server URL
+uv run mcp-simple-auth-client --server-url http://localhost:8000
+
+# Specify custom callback port (if port 8080 is in use)
+uv run mcp-simple-auth-client --callback-port 8081
+
+# Use file-based token storage instead of in-memory
+uv run mcp-simple-auth-client --use-file-storage
+
+# Run with debug logging
+uv run mcp-simple-auth-client --debug
+```
+
+## How It Works
+
+1. **First Run**: If no tokens are stored, the client will:
+   - Start a local HTTP server to handle the OAuth callback
+   - Open your default browser to the GitHub authorization page
+   - Wait for you to authorize the application
+   - Exchange the authorization code for tokens
+   - Save the tokens for future use
+
+2. **Subsequent Runs**: The client will:
+   - Load existing tokens from storage
+   - Use them to authenticate with the server
+   - Automatically refresh tokens if needed
+
+3. **Making Requests**: Once authenticated, the client can:
+   - Call the `get_user_profile` tool
+   - Display the GitHub user information
+
+## Example Output
+
+```
+$ uv run mcp-simple-auth-client
+Starting OAuth client...
+No existing tokens found. Starting OAuth flow...
+Opening authorization URL in browser...
+Starting callback server on http://localhost:8080...
+Waiting for OAuth callback...
+Authorization successful!
+Connecting to MCP server...
+Calling get_user_profile tool...
+
+GitHub User Profile:
+{
+  "login": "username",
+  "id": 12345,
+  "name": "John Doe",
+  "email": "[email protected]",
+  "bio": "Developer",
+  "public_repos": 42,
+  "followers": 100,
+  "following": 50
+}
+
+Done!
+```
+
+## OAuth Flow
+
+```
+Client                    Browser                    GitHub                    MCP Server
+  |                         |                          |                          |
+  |-- Opens auth URL ------>|                          |                          |
+  |                         |-- User authorizes ------>|                          |
+  |                         |                          |<-- Auth code ------------|
+  |<-- Callback ------------|                          |                          |
+  |                         |                          |                          |
+  |-- Exchange code for tokens ------------------------>|                          |
+  |<-- Access token -----------------------------------|                          |
+  |                         |                          |                          |
+  |-- Authenticated request -------------------------------------------------------->|
+  |<-- Protected resource -----------------------------------------------------------|
+```
+
+## Development
+
+```bash
+# Run linting
+uv run ruff check .
+
+# Run type checking
+uv run pyright
+
+# Run with development dependencies
+uv run --dev pytest
+```
+
+## Troubleshooting
+
+**Client fails to connect:**
+- Make sure the server is running: `uv run mcp-simple-auth` in the server directory
+- Check that the server URL is correct (default: http://localhost:8000)
+- Verify OAuth configuration matches between client and server
+
+**OAuth flow fails:**
+- Ensure GitHub OAuth app callback URL matches the client's callback URL
+- Check that no other service is using the callback port (default: 8080)
+- Make sure your browser allows opening localhost URLs
+
+**Token issues:**
+- Delete stored tokens to restart the OAuth flow: `rm oauth_*.json`
+- Check that the server is configured with valid GitHub OAuth credentials
+
+## Security Notes
+
+- Tokens are stored locally in files or memory
+- The local callback server only runs during the OAuth flow
+- Consider using HTTPS in production environments
+- Implement proper token encryption for sensitive applications

examples/clients/simple-auth-client/mcp_simple_auth_client/__init__.py

@@ -0,0 +1 @@
+"""Simple OAuth client for MCP simple-auth server."""