You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/authorization-multiprotocol.md
+12-7Lines changed: 12 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -58,7 +58,7 @@ Discovery answers: *Which auth protocols does this resource support, and where i
58
58
- For the protocol list: if the PRM has `mcp_auth_protocols`, use it (priority 1). Otherwise try path-relative `/.well-known/authorization_servers{path}`, then root `/.well-known/authorization_servers`. If both fail and the PRM has `authorization_servers`, use OAuth fallback.
59
59
- Merge the protocol list with WWW-Authenticate `auth_protocols` if present, then select one via `AuthProtocolRegistry.select_protocol(available, default_protocol, preferences)`.
60
60
61
-
**Relationship between authorization URL endpoints**
61
+
#### Relationship between authorization URL endpoints
62
62
63
63
There are three distinct URL trees involved:
64
64
@@ -70,9 +70,9 @@ There are three distinct URL trees involved:
OAuth Authorization Server (http://localhost:9000)
77
77
├── /.well-known/oauth-authorization-server ← OAuth AS metadata
78
78
├── /authorize
@@ -87,7 +87,7 @@ MCP Resource Server (http://localhost:8002)
87
87
└── /mcp ← Protected MCP endpoint
88
88
```
89
89
90
-
**Client discovery order**
90
+
#### Client discovery order
91
91
92
92
1. On 401, read `resource_metadata` from WWW-Authenticate (e.g. `http://localhost:8002/.well-known/oauth-protected-resource/mcp`).
93
93
2. If absent, try the path-based URL: `{origin}/.well-known/oauth-protected-resource{resource_path}` (e.g. `http://localhost:8002/.well-known/oauth-protected-resource/mcp`).
@@ -184,9 +184,9 @@ The server exposes protected MCP endpoints and declares supported auth methods v
184
184
2.**Unified discovery** — `create_authorization_servers_discovery_routes(protocols, default_protocol, protocol_preferences)` registers `/.well-known/authorization_servers`. The handler returns `{ "protocols": [ AuthProtocolMetadata, ... ] }` plus optional default and preferences.
185
185
3.**401 responses** — Middleware (e.g. RequireAuthMiddleware) returns 401 with WWW-Authenticate including at least Bearer (and optionally `resource_metadata`, `auth_protocols`, `default_protocol`, `protocol_preferences`).
186
186
187
-
**Configuration and URL tree — requirements by server type**
187
+
#### Configuration and URL tree — requirements by server type
188
188
189
-
**Authorization Server (AS) — configuration requirements**
189
+
#### Authorization Server (AS) — configuration requirements
190
190
191
191
| Item | Description |
192
192
|------|-------------|
@@ -198,7 +198,7 @@ The server exposes protected MCP endpoints and declares supported auth methods v
198
198
199
199
No changes to the AS are required for multi-protocol itself; the AS need only support standard OAuth 2.0 and (optionally) DPoP-bound tokens.
200
200
201
-
**MCP Resource Server (RS) — configuration requirements**
201
+
#### MCP Resource Server (RS) — configuration requirements
202
202
203
203
| Item | Description |
204
204
|------|-------------|
@@ -355,13 +355,15 @@ If you use `OAuthClientProvider` or `simple-auth-client` and want to add multi-p
355
355
#### Step 2: Client — switch to MultiProtocolAuthProvider
356
356
357
357
**Before (OAuth only):**
358
+
358
359
```python
359
360
from mcp.client.auth.oauth2 import OAuthClientProvider
360
361
provider = OAuthClientProvider(...)
361
362
client = httpx.AsyncClient(auth=provider)
362
363
```
363
364
364
365
**After (multi-protocol):**
366
+
365
367
```python
366
368
from mcp.client.auth.multi_protocol import MultiProtocolAuthProvider, TokenStorage
367
369
from mcp.client.auth.registry import AuthProtocolRegistry
Copy file name to clipboardExpand all lines: tests/PHASE1_OAUTH2_REGRESSION_TEST_PLAN.md
+4-1Lines changed: 4 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -47,7 +47,7 @@ Run existing tests to ensure no regressions. Phase 1 does not change call sites:
47
47
48
48
-**RequireAuthMiddleware**
49
49
- Instantiate with only `(app, required_scopes, resource_metadata_url)`.
50
-
- WWW-Authenticate must still start with `Bearer` and include `error`, `error_description`, and optionally `resource_metadata`; no requirement for `auth_protocols` / `default_protocol` / `protocol_preferences`.
50
+
- WWW-Authenticate must still start with `Bearer` and include `error`, `error_description`, and optionally `resource_metadata`; no requirement for `auth_protocols` / `default_protocol` / `protocol_preferences`.
51
51
- Existing tests in `tests/server/auth/middleware/test_bearer_auth.py` (e.g. `TestRequireAuthMiddleware`) must pass.
52
52
53
53
### 3.4 Commands
@@ -72,12 +72,14 @@ Manual (or script-assisted) run to confirm the full OAuth2 flow still works with
72
72
73
73
1.**Start Authorization Server (AS)**
74
74
From `examples/servers/simple-auth`:
75
+
75
76
```bash
76
77
uv run mcp-simple-auth-as --port=9000
77
78
```
78
79
79
80
2.**Start Resource Server (RS)**
80
81
In another terminal, from `examples/servers/simple-auth`:
82
+
81
83
```bash
82
84
uv run mcp-simple-auth-rs --port=8001 --auth-server=http://localhost:9000 --transport=streamable-http
83
85
```
@@ -90,6 +92,7 @@ Manual (or script-assisted) run to confirm the full OAuth2 flow still works with
90
92
91
93
4.**Run client**
92
94
From `examples/clients/simple-auth-client`:
95
+
93
96
```bash
94
97
MCP_SERVER_PORT=8001 MCP_TRANSPORT_TYPE=streamable-http uv run mcp-simple-auth-client
0 commit comments