Client Credentials In the token Handler

[SoldierSacha]

Is your feature request related to a problem? Please describe.
The MCP Authorization Spec 2.1.1 OAuth Grant Types mentions that both Authorization Code and Client Credentials should be handled.

Describe the solution you'd like
In /server/auth/handlers/token.py, we only currently support "authorization-code". It would be fantastic if we could support "client-credentials" as well.

python-sdk/src/mcp/server/auth/handlers/token.py

Lines 26 to 47 in 5441767

	class AuthorizationCodeRequest(BaseModel):
	# See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
	grant_type: Literal["authorization_code"]
	code: str = Field(..., description="The authorization code")
	redirect_uri: AnyHttpUrl | None = Field(
	None, description="Must be the same as redirect URI provided in /authorize"
	)
	client_id: str
	# we use the client_secret param, per https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
	client_secret: str | None = None
	# See https://datatracker.ietf.org/doc/html/rfc7636#section-4.5
	code_verifier: str = Field(..., description="PKCE code verifier")
	class RefreshTokenRequest(BaseModel):
	# See https://datatracker.ietf.org/doc/html/rfc6749#section-6
	grant_type: Literal["refresh_token"]
	refresh_token: str = Field(..., description="The refresh token")
	scope: str | None = Field(None, description="Optional scope parameter")
	client_id: str
	# we use the client_secret param, per https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
	client_secret: str | None = None

Describe alternatives you've considered
I mean it's just more convenient, so I don't have to do the whole PKCE exchange thing if it's not necessary.

Additional context

Link to MCP spec: https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization#2-1-1-oauth-grant-types

[felixweinberger]

This is pending SEP #882 being approved