Skip to content

feat(auth): add unified auth protocol discovery and optional DPoP support#2003

Open
nypdmax wants to merge 60 commits intomodelcontextprotocol:mainfrom
nypdmax:pr/auth-ext-cherrypick
Open

feat(auth): add unified auth protocol discovery and optional DPoP support#2003
nypdmax wants to merge 60 commits intomodelcontextprotocol:mainfrom
nypdmax:pr/auth-ext-cherrypick

Conversation

@nypdmax
Copy link

@nypdmax nypdmax commented Feb 6, 2026

Motivation and Context

This PR adds multi-protocol authentication support to the MCP Python SDK, centered around unified authorization
server discovery so clients can discover, select, and apply one of multiple supported auth protocols consistently.

Key capabilities:

  • Unified auth protocol discovery via /.well-known/authorization_servers plus RFC 9728 PRM fallback.
    • Allows servers to advertise multiple protocols (e.g. oauth2, api_key) with optional default protocol and
      preferences.
    • Allows clients to select an injected protocol instance based on server hints and preferences, with safe fallbacks.
  • Extensible protocol metadata (MCP extension fields) to represent protocol endpoints/capabilities consistently.
  • DPoP support (RFC 9449):
    • Client-side proof generation and header injection (opt-in).
    • Server-side proof verification integrated into verification flow (opt-in).
  • Streamable HTTP server maintainability: refactors request handling to reduce complexity while preserving behavior.
  • Examples support: adds a small FastMCP compatibility wrapper used by examples and updates multiprotocol examples.
  • Documentation updates covering protocol discovery and multiprotocol usage.

How Has This Been Tested?

  • Full test suite:
    • PYTEST_DISABLE_PLUGIN_AUTOLOAD="" uv run --frozen pytest
    • Result: 1229 passed, 95 skipped, 1 xfailed
  • Lint / typecheck:
    • uv run --frozen ruff format --check .
    • uv run --frozen ruff check .
    • uv run --frozen pyright

Spec compliance notes (additive extensions)

This PR keeps MCP Authorization (2025-06-18) OAuth behavior intact (RFC 9728 PRM + RFC 8414 metadata + RFC 8707
resource indicators). It also adds optional extensions to support multi-protocol auth and stronger token binding:

  • Multi-protocol selection (extension):

    • Optional /.well-known/authorization_servers endpoint (best-effort; client falls back if missing).
    • Optional PRM extension fields: mcp_auth_protocols, mcp_default_auth_protocol, mcp_auth_protocol_preferences.
    • Optional WWW-Authenticate: Bearer ... hint params: auth_protocols, default_protocol, protocol_preferences
      (ignored by spec-only clients).

  • DPoP (RFC 9449) (optional extension): adds opt-in DPoP proof generation/verification; standard Bearer flow remains
    supported when disabled.

Interoperability: spec-only servers/clients can ignore these extensions and continue using the standard OAuth discovery
and Bearer token flow.

Breaking Changes

None expected. Changes are additive and aim to preserve existing behavior and public APIs.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

Suggested review order (commit-by-commit):

  1. Streamable HTTP server refactor
  2. Auth server token handling + verifiers (and tests)
  3. Multi-protocol client/provider behavior + test coverage
  4. DPoP client/server pieces + tests
  5. FastMCP wrapper + updated examples
  6. Documentation updates

nypdmax added 30 commits February 6, 2026 10:39
@nypdmax
feat(auth): multi-protocol auth stage 1 — models, protocol interfaces…
d9d76cf 
…, WWW-Authenticate extensions
@nypdmax
Add AuthProtocolRegistry for multi-protocol auth selection
1334eef
@nypdmax
Add discover_authorization_servers with PRM fallback and type fixes
d49e295
@nypdmax
Add MultiProtocolAuthProvider core for multi-protocol auth
d068465
@nypdmax
Add 401/403 handling skeleton to MultiProtocolAuthProvider
2574853
@nypdmax
Add _discover_and_authenticate full logic and storage adapter to Mult…
5d80e84 
…iProtocolAuthProvider
@nypdmax
Add CredentialVerifier and OAuthTokenVerifier with unit tests
6d5b6e2
@nypdmax
API Key verifier: prefer X-API-Key, optional Bearer; drop ApiKey scheme
ce2deee
@nypdmax
Extend create_protected_resource_routes with auth_protocols, default_…
e6893a4 
…protocol, protocol_preferences
@nypdmax
Add AuthorizationServersDiscoveryHandler and create_authorization_ser…
b7b04d9 
…vers_discovery_routes
@nypdmax
Add Phase 2 auth integration test and client auth protocol module
ed8a520
@nypdmax
Add Phase 1 OAuth2 integration test script and regression test plan
995a1b1
@nypdmax
Add simple-auth-multiprotocol server example (OAuth, API Key, mTLS pl…
1a37dd8 
…aceholder)
@nypdmax
feat(examples): add simple-auth-multiprotocol-client and Pyright conf…
139d652 
…ig for examples/clients

- Add examples/clients/simple-auth-multiprotocol-client (API Key + mTLS placeholder)
- Pyright: include examples/clients; executionEnvironments + extraPaths for client packages
- Fixes import resolution for mcp_simple_auth_multiprotocol_client.main in __main__.py
@nypdmax
fix(auth): API Key scope for RequireAuthMiddleware; add phase2 multip…
3d22414 
…rotocol integration test script

- APIKeyVerifier: optional scopes param for AccessToken (satisfy required_scopes)
- simple-auth-multiprotocol: build_multiprotocol_backend(api_key_scopes=[mcp_scope])
- scripts/run_phase2_multiprotocol_integration_test.sh: api_key (default), oauth (AS+RS+simple-auth-client), mutual_tls (placeholder)
@nypdmax
feat(auth): add OAuth2Protocol thin adapter and run_authentication, a…
9f3c7c3 
…lign resource_metadata_url with 401 branch
@nypdmax
feat(auth): implement OAuth2Protocol.discover_metadata (RFC 8414), ad…
d87e8cc 
…d optional http_client to discover_metadata
@nypdmax
test(auth): add run_authentication unit tests with mock HTTP
dae53d7
@nypdmax
feat(auth): implement DPoP client (RFC 9449) with key pair, proof gen…
f84fe64 
…erator and storage

- Add DPoPKeyPair for ES256/RS256 key generation with configurable RSA key size
- Add DPoPProofGeneratorImpl for generating DPoP proof JWTs per RFC 9449
- Add InMemoryDPoPStorage for key pair persistence
- Add compute_jwk_thumbprint for RFC 7638 JWK Thumbprint calculation
- Include comprehensive unit tests (12 test cases)
@nypdmax
feat(auth): implement DPoP server-side verification (RFC 9449)
e83e975 
Add DPoPProofVerifier for validating DPoP proof JWTs per RFC 9449 Section 4.3,
including replay protection, claim validation, and JWK thumbprint verification.
@nypdmax
feat(auth): integrate DPoP into OAuth2Protocol and credential verifiers
44901e1 
Add DPoP support to OAuth2Protocol implementing DPoPEnabledProtocol,
inject DPoP proofs via MultiProtocolAuthProvider, and verify DPoP-bound
tokens in OAuthTokenVerifier.
@nypdmax
feat(auth): add DPoP support to simple-auth-multiprotocol example
07ac1f8 
Add --dpop-enabled CLI flag and integrate DPoPProofVerifier with
MultiProtocolAuthBackend for end-to-end DPoP verification.
@nypdmax
Add DPoP integration test script and multiprotocol example updates
3a3d914 
- Add scripts/run_phase4_dpop_integration_test.sh for automated DPoP tests
- Update test_oauth2_protocol: expect OAuthFlowError when http_client is None
- Update simple-auth-multiprotocol-client: OAuth+DPoP support, InMemoryStorage
- Update simple-auth-multiprotocol: DPoP logging, oauth2 protocol_version 2.0
@nypdmax
Refactor OAuth 401/403 flow with shared generator to fix deadlock
cb5f638 
- Add _oauth_401_flow.py: oauth_401_flow_generator, oauth_403_flow_generator
- Refactor OAuthClientProvider.async_auth_flow to drive shared generators
- Refactor MultiProtocolAuthProvider 401 handling to use shared OAuth flow
- Fix OAuth2Protocol.authenticate to use fresh client when called outside flow
- Fix OAuthTokenVerifier: use scope for HTTP method (HTTPConnection compat)
@nypdmax
chore(tests): move integration scripts to client example dir.
283a84e
@nypdmax
fix(server): handle session termination race in streamable HTTP
4589cad
@nypdmax
fix(auth): fallback to injected protocols on 401
e9338fc 
Prefer only locally injected protocol instances when selecting the auth protocol, and ensure the final response corresponds to the original request (avoid leaking discovery responses).
@nypdmax
test(auth): cover protocol fallback and discovery leakage
571edfe 
Add regression tests ensuring 401 handling falls back when the server default protocol isn't injected, and that discovery responses are never returned as the business request response.
@nypdmax
chore(examples): harden multiprotocol client/script flows
5d38e4b 
Make api_key and mutual_tls runs non-interactive with clear PASS/FAIL, add oauth_dpop mode wiring, and allow forcing mutual_tls protocol injection for placeholder coverage.
@nypdmax
docs(auth): document TokenStorage dual contract, add OAuthTokenStorag…
fbf9ad9 
…eAdapter and unit tests
nypdmax added 30 commits February 6, 2026 10:52
@nypdmax
chore(repo): ignore local plans and cursorrules
5129578 
Ignore /plans/ and /.cursorrules to keep local scratch docs and Cursor config out of version control.
@nypdmax
feat(auth): OAuth2 client_credentials grant and fixed_client_info
53b11f9 
- OAuthClientProvider: add fixed_client_info, _exchange_token_client_credentials
- OAuth2Protocol: accept fixed_client_info for M2M flows
- MultiProtocolAuthProvider: pass fixed_client_info into OAuthClientProvider
- _oauth_401_flow: require client_info for client_credentials, skip dynamic registration
- Server token handler: ClientCredentialsRequest, exchange_client_credentials
- Server routes: advertise client_credentials in grant_types_supported
@nypdmax
feat(examples): client_credentials in simple-auth, multiprotocol disc…
1dda3cd 
…overy variants

- simple-auth: exchange_client_credentials, demo client_credentials client
- simple-auth-multiprotocol: add prm_only, path_only, root_only, oauth_fallback
  server variants and CLI entry points for discovery E2E testing
@nypdmax
refactor(auth): reduce async_auth_flow complexity, remove noqa
8c1b060
@nypdmax
fix(auth): restore multiprotocol provider after refactor
de25956
@nypdmax
fix(auth): pad EC P-256 JWK coordinates to fixed 32 bytes
24bd45b 
Also sync grant_types_supported test assertions with 6cf977b.
@nypdmax
mcp supporting multi-authentication schemas DD
5cabe19
@nypdmax
docs(auth): update auth-analysis and multi-protocol-refactoring-plan
6aa7e77
@nypdmax
Add API Key, DPoP, and Mutual TLS running instructions to multiprotoc…
b68a193 
…ol examples
@nypdmax
Add authorization design docs (multi-protocol)
4445b51
@nypdmax
Fix multi authentication schema design doc
b5e3172
@nypdmax
docs(auth): protocol discovery order and auth discovery logging
3159ef0 
- authorization-multiprotocol.md: discovery order (PRM → path-relative → root → OAuth fallback), client flow, [Auth discovery] DEBUG logs
- auth-analysis.md: multi-protocol discovery order and logging in §4.2, §12.1.3, §13.2.2
- multi-protocol-refactoring-plan.md: §11.4 PRM-first order, §11.5 note, §3.2.2 pseudo-code; auth discovery logging
@nypdmax
docs(examples): rename MCP_AUTH_PROTOCOL and update guides
9179e8f 
Update multiprotocol docs/READMEs to use MCP_AUTH_PROTOCOL (no PHASE wording) and align example instructions with the hardened scripts.
@nypdmax
docs(auth): refresh multiprotocol and client_credentials documentation
01236d4
@nypdmax
chore(repo): align gitignore with main
c3ca87c
@nypdmax
chore(auth): drop internal design docs from src
bcda500
@nypdmax
refactor(server): simplify streamable HTTP request handling
a3c84c4
@nypdmax
refactor(auth-server): tighten token handling and verifiers
4b1846e
@nypdmax
chore(auth): translate comments and docstrings to English
c51a103
@nypdmax
chore(dpop): tidy client implementation and tests
187c433
@nypdmax
test(auth): tidy multiprotocol client test docs
de0241c
@nypdmax
feat(server): add FastMCP compatibility wrapper for examples
4348a2c
@nypdmax
chore(examples): update multiprotocol auth examples
8855822
@nypdmax
test(auth): wrap long oauth2 protocol docstring
1ad8c89
@nypdmax
docs: fix markdownlint in auth multiprotocol docs
76b1d1e
@nypdmax
test(auth): add coverage tests to satisfy 100% gate
310d939
@nypdmax
fix(auth): remove unnecessary pragma no cover annotations
ea5910d
@nypdmax
fix(auth): add lax no cover to Protocol stubs for Python 3.14 coverage
87288eb
@nypdmax
docs: fix script cmds and unnecessary content
9e1a9ab
@nypdmax
chore: clean up legacy env var and echo in scripts
ea9074c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nypdmax