OAuth TokenHandler Enhancement: Authorization Header Fallback Support #1316
+460
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…tials - Implement fallback logic in TokenHandler to check Authorization header when client credentials are missing from form data - Support Basic authentication with proper Base64 decoding and URL decoding - Add comprehensive test suite covering all scenarios - Maintain backward compatibility with existing form data authentication - Improve OAuth 2.0 compliance by supporting both client_secret_post and client_secret_basic methods Fixes modelcontextprotocol#1315
…tests - Fix abstract method signatures in MockOAuthProvider - Correct Request constructor usage in mock_request fixture - Add proper type annotations and type ignore comments - Fix line length issues and import from collections.abc - Ensure all tests pass type checking and linting
- Implement fallback to extract client credentials from Authorization header - Support Basic authentication when client_id is missing from form data - Handle URL-encoded client secrets properly - Add comprehensive test coverage for the new functionality - Follows OAuth 2.0 RFC 6749 specifications for client authentication Fixes modelcontextprotocol#1315
felixweinberger
added
auth
felixweinberger
requested changes
Sep 26, 2025
OAUTH_ENHANCEMENT_SUMMARY.md
Outdated
| @@ -0,0 +1,122 @@ | |||
| # OAuth TokenHandler Enhancement - Issue #1315 | |||
There was a problem hiding this comment.
Was this intentionally included? We shouldn't be adding large .md files describing a specific implementation fix.
There was a problem hiding this comment.
Deleted! That makes sense. It's my first time contributing to this project didn't realize it's not necessary.
|
Hi @ChenyangLi4288 , thanks for sending this PR! It looks like #1334 might be a preferable approach as it also deals with advertising the new method in auth_methods_supported, returns 401s for auth failures and updates the ClientAuthenticator "middleware" instead of the token handler. (Please feel free to comment on the other PR or let me know if you feel strongly like this should be reopened) Cheers |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
OAuth TokenHandler Enhancement: Authorization Header Fallback Support
This PR implements the enhancement requested in issue #1315 to add fallback support for OAuth client credentials in the Authorization header when they are missing from the request form data. This improves OAuth 2.0 compliance by supporting both
client_secret_postandclient_secret_basicauthentication methods.Changes Made
Fixes #1315
This PR adds fallback support for OAuth client credentials in the Authorization header when they are missing from the request form data. The TokenHandler now checks for Basic authentication in the Authorization header as a fallback, improving OAuth 2.0 compliance by supporting both client_secret_post and client_secret_basic methods.
Motivation and Context
Currently, the TokenHandler only looks for client credentials in the request form data. However, according to OAuth 2.0 specifications, client credentials can also be provided in the Authorization header using Basic authentication. When credentials are only provided in the header, the handler throws a ValidationError even though valid credentials are present. This enhancement addresses this limitation by implementing a fallback mechanism.
How Has This Been Tested?
Comprehensive tests have been added covering:
All new tests pass (7/7) and existing tests continue to pass. Code passes linting (ruff) and type checking (pyright).
Breaking Changes
None. This is a purely additive enhancement that maintains 100% backward compatibility. Existing OAuth clients using form data authentication will continue to work exactly as before.
Types of changes
Checklist
Additional context
The implementation follows OAuth 2.0 best practices and maintains the security model while improving flexibility for different client implementations. It's particularly useful for web applications, mobile apps, and enterprise integrations that prefer using Basic authentication headers. The enhancement is non-intrusive and only activates when credentials are missing from form data, ensuring minimal performance impact.