Skip to content

Implement support for client_credentials #1020

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 22 commits into
base: main
Choose a base branch
from
Open

Implement support for client_credentials #1020

wants to merge 22 commits into from
+1,358 −44

Conversation

LucaButBoring
Copy link
Contributor

@LucaButBoring LucaButBoring commented Jun 24, 2025
edited
Loading

Implements support for the client_credentials flow over client_secret_basic/client_secret_post. Requires the client to explicitly declare support for the client_credentials grant type, as demonstrated in the example code.

Motivation and Context

Enables machine-to-machine auth and using IdPs that don't support a code grant flow.

How Has This Been Tested?

Added an example that integrates with Discord using this flow. The example does not use Dynamic Client Registration because the OAuthProvider boilerplate that offers that has the authorization code grant flow baked into it right now. Instead, a dummy client ID and client secret are hardcoded in the TokenStorage implementation.

Breaking Changes

  • Possible breaking change? OAuthClientInformationFull.client_id is now optional as described in the OAuth 2.1 specification, section 3.2.2.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

#709

LucaButBoring and others added 13 commits June 23, 2025 10:52
@LucaButBoring
Implement client credentials auth flow
873bbe0
@LucaButBoring
Add example client and server for client_credentials flow
7c65d76
@LucaButBoring
Set issuer to AS URI for RFC8414 compliance in auth example
d927bc0
@LucaButBoring
Merge RS/AS in client_credentials example
20b5dfc
@LucaButBoring
Revert "Merge RS/AS in client_credentials example"
1a5f104 
This reverts commit 20b5dfc.
@LucaButBoring
Implement simplified RS+AS token mapping without DCR
fe548e5
@LucaButBoring
Update naming and docs for client credentials example
7e0dfaf
@LucaButBoring
Implement client_secret_post support in client credentials example
4ab922c
@LucaButBoring
Don't use client_credentials by default; fix test
e3a2b6d
@LucaButBoring
Merge branch 'main' of https://github.com/modelcontextprotocol/python…
ed2a486 
…-sdk into feat/client-credentials
@LucaButBoring
Add tests for client_credentials flow
a8067e1
@LucaButBoring
Merge branch 'main' into feat/client-credentials
0be70c4
@LucaButBoring
Update function name in PRM unit tests
13b3478
@LucaButBoring LucaButBoring marked this pull request as ready for review June 25, 2025 20:30
@ihrpr ihrpr added this to the auth-spec milestone Jun 30, 2025
@SoldierSacha
Copy link

I also implemented this, along with the token exchange grant type in addition to client credentials

#882

@clareliguori clareliguori mentioned this pull request Jul 9, 2025
Open
@LucaButBoring LucaButBoring requested review from a team as code owners July 24, 2025 20:06
@LucaButBoring
Copy link
Contributor Author

@pcarleton @dsp-ant Let me know if I should close this in favor of #882, or if the credential grants should be PR'd separately (whether that looks like #882 being split or scoped down to token_exchange). There is also now an SEP that would benefit from either PR to satisfy the implementation example requirement.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pcarleton pcarleton Awaiting requested review from pcarleton pcarleton is a code owner automatically assigned from modelcontextprotocol/python-sdk-auth

@dsp-ant dsp-ant Awaiting requested review from dsp-ant dsp-ant is a code owner automatically assigned from modelcontextprotocol/python-sdk

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
auth
Development

Successfully merging this pull request may close these issues.
3 participants
@LucaButBoring @SoldierSacha @ihrpr