Skip to content

Remove strict validation on response_modes_supported member of OAuthMetadata #1243

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 7, 2025
Merged

Remove strict validation on response_modes_supported member of OAuthMetadata #1243

merged 2 commits into from
Aug 7, 2025
+23 −1

Conversation

joesavage-silabs
Copy link
Contributor

@joesavage-silabs joesavage-silabs commented Aug 6, 2025
edited
Loading

Allows compatibility with servers that support the JWT Secured Authorization response mode per https://openid.net/specs/oauth-v2-jarm.html#name-authorization-server-metada

Resolves #1242

Motivation and Context

Fixes OAuth flow when using Keycloak (or any auth server that supports JARM)

How Has This Been Tested?

Tested using remote OAuth2.0 flow with FastMCP and Keycloak

Breaking Changes

None

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

None

@joesavage-silabs joesavage-silabs requested a review from a team as a code owner August 6, 2025 16:29
@joesavage-silabs joesavage-silabs changed the title Remove strict validation on response_modes_supported member of OAuthMetadata (#1242) Remove strict validation on response_modes_supported member of OAuthMetadata Aug 6, 2025
panargirakis
panargirakis reviewed Aug 6, 2025
View reviewed changes
Copy link

@panargirakis panargirakis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! I'd really like to see this merged, it would unblock our use of the library with keycloak

@yannj-fr
Copy link
Contributor

yannj-fr commented Aug 6, 2025

Yes, I realise that by default Keycloak also adds jwt.query, jwt.fragment...

ochafik
ochafik approved these changes Aug 7, 2025
View reviewed changes
Copy link

@ochafik ochafik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks for sending this change!

(the OAuth 2.0 Multiple Response Type Encoding Practices linked from the response_mode_supported in rfc8414 indeed meant for this to be an open list of modes: Note that it is expected that additional Response Modes may be defined by other specifications in the future)

@ochafik ochafik merged commit ef4e167 into modelcontextprotocol:main Aug 7, 2025
10 checks passed
@jonigl jonigl mentioned this pull request Aug 10, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ochafik ochafik ochafik approved these changes

+1 more reviewer

@panargirakis panargirakis panargirakis left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Validation of response_modes_supported member of OAuthMetadata is too strict
4 participants
@joesavage-silabs @yannj-fr @ochafik @panargirakis