python-sdk/tests/shared/test_auth.py at 76d3e94a0c662ba94f98aab8a2b59e437a73d5ee · modelcontextprotocol/python-sdk · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
"""Tests for OAuth 2.0 shared code."""

import pytest

from mcp.shared.auth import InvalidScopeError, OAuthClientInformationFull, OAuthMetadata


def _make_client(scope: str | None) -> OAuthClientInformationFull:
    return OAuthClientInformationFull.model_validate(
        {
            "redirect_uris": ["https://example.com/callback"],
            "scope": scope,
            "client_id": "test-client",
        }
    )


def test_validate_scope_returns_none_when_no_scope_requested():
    client = _make_client("read write")
    assert client.validate_scope(None) is None


def test_validate_scope_allows_registered_scopes():
    client = _make_client("read write")
    assert client.validate_scope("read") == ["read"]
    assert client.validate_scope("read write") == ["read", "write"]


def test_validate_scope_raises_for_unregistered_scope():
    client = _make_client("read")
    with pytest.raises(InvalidScopeError):
        client.validate_scope("read admin")


def test_validate_scope_allows_any_scope_when_client_has_no_scope_restriction():
    """When client.scope is None, any requested scope should be allowed (issue #2216)."""
    client = _make_client(None)
    assert client.validate_scope("read") == ["read"]
    assert client.validate_scope("read write admin") == ["read", "write", "admin"]


def test_oauth():
    """Should not throw when parsing OAuth metadata."""
    OAuthMetadata.model_validate(
        {
            "issuer": "https://example.com",
            "authorization_endpoint": "https://example.com/oauth2/authorize",
            "token_endpoint": "https://example.com/oauth2/token",
            "scopes_supported": ["read", "write"],
            "response_types_supported": ["code", "token"],
            "token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"],
        }
    )


def test_oidc():
    """Should not throw when parsing OIDC metadata."""
    OAuthMetadata.model_validate(
        {
            "issuer": "https://example.com",
            "authorization_endpoint": "https://example.com/oauth2/authorize",
            "token_endpoint": "https://example.com/oauth2/token",
            "end_session_endpoint": "https://example.com/logout",
            "id_token_signing_alg_values_supported": ["RS256"],
            "jwks_uri": "https://example.com/.well-known/jwks.json",
            "response_types_supported": ["code", "token"],
            "revocation_endpoint": "https://example.com/oauth2/revoke",
            "scopes_supported": ["openid", "read", "write"],
            "subject_types_supported": ["public"],
            "token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"],
            "userinfo_endpoint": "https://example.com/oauth2/userInfo",
        }
    )


def test_oauth_with_jarm():
    """Should not throw when parsing OAuth metadata that includes JARM response modes."""
    OAuthMetadata.model_validate(
        {
            "issuer": "https://example.com",
            "authorization_endpoint": "https://example.com/oauth2/authorize",
            "token_endpoint": "https://example.com/oauth2/token",
            "scopes_supported": ["read", "write"],
            "response_types_supported": ["code", "token"],
            "response_modes_supported": [
                "query",
                "fragment",
                "form_post",
                "query.jwt",
                "fragment.jwt",
                "form_post.jwt",
                "jwt",
            ],
            "token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"],
        }
    )