Skip to content

Implement RFC 7523 JWT flows #1247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 32 commits into
base: main
Choose a base branch
from
Open

Implement RFC 7523 JWT flows #1247

wants to merge 32 commits into from
+442 −55

Conversation

LucaButBoring
Copy link
Contributor

@LucaButBoring LucaButBoring commented Aug 7, 2025
edited
Loading

Implements support for the RFC 7523 authentication flows. This PR is a trimmed-down version of #1020, but will likely be superceded by a future authlib-based implementation (see #1240).

Compared to #1020, this implements the flow via a separate httpx.Auth subclass, which is in-line with prior maintainer feedback on how to grow these auth implementations.

Motivation and Context

Implementation example for modelcontextprotocol/modelcontextprotocol#1046.

How Has This Been Tested?

Unit tests (TBD: unit tests for section 2.2 flow). Planning to spot test with Keycloak setup once that gets published.

Breaking Changes

None.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

LucaButBoring and others added 30 commits June 23, 2025 10:52
@LucaButBoring
Implement client credentials auth flow
873bbe0
@LucaButBoring
Add example client and server for client_credentials flow
7c65d76
@LucaButBoring
Set issuer to AS URI for RFC8414 compliance in auth example
d927bc0
@LucaButBoring
Merge RS/AS in client_credentials example
20b5dfc
@LucaButBoring
Revert "Merge RS/AS in client_credentials example"
1a5f104 
This reverts commit 20b5dfc.
@LucaButBoring
Implement simplified RS+AS token mapping without DCR
fe548e5
@LucaButBoring
Update naming and docs for client credentials example
7e0dfaf
@LucaButBoring
Implement client_secret_post support in client credentials example
4ab922c
@LucaButBoring
Don't use client_credentials by default; fix test
e3a2b6d
@LucaButBoring
Merge branch 'main' of https://github.com/modelcontextprotocol/python…
ed2a486 
…-sdk into feat/client-credentials
@LucaButBoring
Add tests for client_credentials flow
a8067e1
@LucaButBoring
Merge branch 'main' into feat/client-credentials
0be70c4
@LucaButBoring
Update function name in PRM unit tests
13b3478
@LucaButBoring
Merge branch 'main' into feat/client-credentials
aaf2cc7
@LucaButBoring
Use client_metadata to determine if 2LO should be used
efecc7d
@LucaButBoring
Merge branch 'main' into feat/client-credentials
f1d1591
@LucaButBoring
Merge branch 'main' into feat/client-credentials
06177d1
@LucaButBoring
Merge branch 'main' into feat/client-credentials
2a2f562
@LucaButBoring
Fix Markdown formatting
31eeb63
@LucaButBoring
Merge branch 'main' of https://github.com/modelcontextprotocol/python…
ac75345 
…-sdk into feat/client-credentials
@LucaButBoring
Merge branch 'main' into feat/client-credentials
c3c6725
@LucaButBoring
Update auth tests to fix mock behavior
4a4c007
@LucaButBoring
Merge branch 'main' of https://github.com/modelcontextprotocol/python…
6677894 
…-sdk into feat/client-credentials
@LucaButBoring
Implement RFC 7523 authorization grant flow
fc8331c
@yannj-fr @LucaButBoring
Implement RFC 7523 Section 2.2 for client_credentials
39758e2
@LucaButBoring
Add case for preconfigured assertion in RFC7523 S2.2 flow
36532fd
@LucaButBoring
Remove 2LO example for now
ed23997 
No longer doing external integration examples as of modelcontextprotocol#1011. Will likely bring this back later as a standalone example.
@LucaButBoring
Remove 2LO in this branch, limit to RFC7523
e10f7c9
@LucaButBoring
Fix rfc8707 test error
bcc5b39 
Python default parameters reuse their references, so we can't use a collection like a dict as a default parameter value or we'll dirty our state.
@LucaButBoring
Merge branch 'main' into feat/rfc7523
b90a6c2
@yannj-fr
Copy link
Contributor

yannj-fr commented Aug 8, 2025

Does it means that at the client creation, we have to select a different class?

@LucaButBoring
Copy link
Contributor Author

Does it means that at the client creation, we have to select a different class?

Yes, that's what I inferred from @ochafik's statement on #1020:

After chatting w/ the team it would seem indeed that something along the lines of #882 would reduce the maintenance complexity (changes encapsulated in httpx.Auth)

@yannj-fr
Copy link
Contributor

Now sep 1046 was approved do you want to move forward?

@LucaButBoring LucaButBoring changed the title [DO NOT MERGE] Implement RFC 7523 JWT flows Implement RFC 7523 JWT flows Aug 12, 2025
@LucaButBoring LucaButBoring marked this pull request as ready for review August 12, 2025 19:10
@LucaButBoring LucaButBoring requested review from a team as code owners August 12, 2025 19:10
@LucaButBoring LucaButBoring requested a review from ochafik August 12, 2025 19:10
@LucaButBoring
Copy link
Contributor Author

Now sep 1046 was approved do you want to move forward?

Updated the PR and opened.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ochafik ochafik Awaiting requested review from ochafik ochafik is a code owner automatically assigned from modelcontextprotocol/python-sdk-auth

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@LucaButBoring @yannj-fr