fix: routing bug (#108)

mplemay · web-flow · commit 1b20e17408e7 · 2026-03-09T13:11:47.000-05:00
diff --git a/packages/belgie-alchemy/src/belgie_alchemy/__tests__/integration/core/oauth/test_routes_register.py b/packages/belgie-alchemy/src/belgie_alchemy/__tests__/integration/core/oauth/test_routes_register.py
@@ -107,7 +107,7 @@ async def test_register_enabled_unauthenticated_allows_public_clients(
 
 
 @pytest.mark.asyncio
-async def test_register_enabled_unauthenticated_rejects_confidential_clients(
+async def test_register_enabled_unauthenticated_allows_omitted_auth_method(
     belgie_instance,
     oauth_settings: OAuthServer,
 ) -> None:
@@ -127,6 +127,34 @@ async def test_register_enabled_unauthenticated_rejects_confidential_clients(
             },
         )
 
+    assert response.status_code == 200
+    payload = response.json()
+    assert payload["client_secret"] is not None
+    assert payload["token_endpoint_auth_method"] == "client_secret_post"  # noqa: S105
+
+
+@pytest.mark.asyncio
+async def test_register_enabled_unauthenticated_rejects_explicit_confidential_clients(
+    belgie_instance,
+    oauth_settings: OAuthServer,
+) -> None:
+    settings_payload = oauth_settings.model_dump(mode="python")
+    settings_payload["allow_dynamic_client_registration"] = True
+    settings_payload["allow_unauthenticated_client_registration"] = True
+    settings = OAuthServer(**settings_payload)
+    belgie_instance.add_plugin(settings)
+    app = FastAPI()
+    app.include_router(belgie_instance.router)
+    transport = httpx.ASGITransport(app=app)
+    async with httpx.AsyncClient(transport=transport, base_url="http://testserver") as client:
+        response = await client.post(
+            "/auth/oauth/register",
+            json={
+                "redirect_uris": ["http://testserver/callback"],
+                "token_endpoint_auth_method": "client_secret_post",
+            },
+        )
+
     assert response.status_code == 401
     payload = response.json()
     assert payload["error"] == "invalid_request"
diff --git a/packages/belgie-oauth-server/src/belgie_oauth_server/plugin.py b/packages/belgie-oauth-server/src/belgie_oauth_server/plugin.py
@@ -371,7 +371,9 @@ async def register_handler(  # noqa: PLR0911
                 if exc.status_code != status.HTTP_401_UNAUTHORIZED:
                     raise
 
-            is_public_client = (metadata.token_endpoint_auth_method or "client_secret_post") == "none"
+            # Treat omitted auth method like public registration here so MCP clients can
+            # register anonymously; the provider still defaults it later.
+            is_public_client = metadata.token_endpoint_auth_method in {None, "none"}
             if not authenticated:
                 if not settings.allow_unauthenticated_client_registration:
                     return _oauth_error(
