authorization-server: also include CLIENT_SECRET_POST auth method for DCR

- Claude code uses both PKCE + client_secret in the body of the request.

Signed-off-by: Daniel Garnier-Moiroux <[email protected]>

Author: Kehrlann

mcp-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2ClientRegistrationEndpointConfigurer.java

@@ -82,8 +82,9 @@ public RegisteredClient convert(OAuth2ClientRegistration clientRegistration) {
 						clientRegistration.getClaims().get(RESOURCE_IDS_KEY));
 			}
 			return RegisteredClient.from(registeredClient)
-				// dgarnier
 				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+				// claude code does client_secret_post + PKCE
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST)
 				.clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
 				.clientSettings(clientSettingsBuilder.build())
 				.build();

mcp-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/converter/OAuth2ClientRegistrationRegisteredClientConverter.java

@@ -67,6 +67,9 @@ else if (ClientAuthenticationMethod.CLIENT_SECRET_JWT.getValue().equals(clientRe
 		else if (ClientAuthenticationMethod.PRIVATE_KEY_JWT.getValue().equals(clientRegistration.getTokenEndpointAuthenticationMethod())) {
 			builder.clientAuthenticationMethod(ClientAuthenticationMethod.PRIVATE_KEY_JWT);
 		}
+		else if (ClientAuthenticationMethod.NONE.getValue().equals(clientRegistration.getTokenEndpointAuthenticationMethod())) {
+			builder.clientAuthenticationMethod(ClientAuthenticationMethod.NONE);
+		}
 		else {
 			builder
 					.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)