ClientAuthenticator ignores token_endpoint_auth_method="none" when client_secret is stored

[aiwebb]

Initial Checks

• I confirm that I'm using the latest version of MCP Python SDK
• I confirm that I searched for my issue in https://github.com/modelcontextprotocol/python-sdk/issues before opening this issue

Description

ClientAuthenticator behavior is only partially honoring token_endpoint_auth_method="none":

python-sdk/src/mcp/server/auth/middleware/client_auth.py

Lines 102 to 104 in 6b69f63

	if client.client_secret: # pragma: no branch
	if not request_client_secret:
	raise AuthenticationError("Client secret is required") # pragma: no cover

Essentially:

• token_endpoint_auth_method="none" => skip extracting credentials from the request (correct)
• client.client_secret exists => raise error if no credentials were extracted from the request (incorrect)

If token_endpoint_auth_method="none" is set, it should never be checking for a client_secret value on the request, regardless of whether a secret has ever been generated for the client.

Suggested fix is to condition the client.client_secret check on token_endpoint_auth_method not being none:

        if token_endpoint_auth_method != "none" and client.client_secret:  # pragma: no branch
            if not request_client_secret:
                raise AuthenticationError("Client secret is required")  # pragma: no cover

Example Code

Python & MCP Python SDK

1.25.0