feat: add conformance tests for SEP-990

[sagar-okta]

Adds conformance tests for SEP-990 which introduces SSE polling via server-side disconnect.

Motivation and Context

How Has This Been Tested?

Tested with modelcontextprotocol/typescript-sdk#1328

Breaking Changes

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

[pcarleton]

🙌 thanks for this! will aim to get you comments by tomorrow, but i'm very excited to have a test for this.

one thing missing from this tool currently is marking tests as optional. Current state is MUST = FAIL, SHOULD = WARNING, and for tiering we want SHOULD to be required (want the best SDK's to do the SHOULD's).

extensions are a new axis, where we want to say "this feature is optional, but within the test, the same MUST/SHOULD logic applies" which will apply here and to client credentials which is currently not differentiated.

I'm just noting the concept we need to add, not in the scope of this PR.

[pcarleton]

A few high level comments:

• The top of the PR description seems outdated / copy pasted? (the SSE polling bit)
• It looks like we're mixing AS and IdP endpoints, let's keep those separate w/ separate handlers
• let's stick to 1 end-to-end test to start w/ many checks. each test that spins up a server is a cost on CI for every SDK, so we want to keep the # low.
• I stuck with comments on the test since that's the most important part, but the example will also need some changes.
• if you could include a negative test (i.e. an example client that implements it incorrectly, and so it will fail the test), that'd be great.
• please add this to the "extensions" list of tests (may need to manage merge conflicts, this jostled a bit for the tiering kickoff)

[pcarleton]

i believe this should be client_secret_basic or private_key_jwt since ID-JAG is only supposed to work with confidential clients.

[pcarleton]

the IdP ID token should not have the auth server as its audience. it should be the "idp_client_id" which is distinct from the client id used to talk to the authorization server.

it's the id-jag that should have the authServer as its audience.

[pcarleton]

the auth server shouldn't bet getting a token-exchange request, that request should be going to the IdP.

[pcarleton]

This is the ID-JAG flow, so should be urn:ietf:params:oauth:token-type:id-jag

[pcarleton]

let's start with just 1 test for the full flow. each test adds integration cost, and these 2 are redundant with the full e2e test.

[pcarleton]

the auth server doesn't need to support token-exchange, I think you've combined the IdP and AS in this test.

[pcarleton]

the id_token should never be hitting the AS url, this function is called in the AS.

[pcarleton]

.setProtectedHeader({ alg: 'ES256', typ: 'oauth-id-jag+jwt' })

[pcarleton]

i don't think this field is respected. since this handler needs to be on the IdP anyway, it's probably better to implement a handler on the fake IdP directly rather than try to shoehorn into the createAuthServer interfaces

[pkg-pr-new]

Open in StackBlitz

npx https://pkg.pr.new/modelcontextprotocol/conformance/@modelcontextprotocol/conformance@110

commit: 972f874