chore: merge upstream main

nypdmax · nypdmax · commit cc3b55263f5f · 2026-02-09T20:22:17.000+08:00
diff --git a/.github/actions/conformance/client.py b/.github/actions/conformance/client.py
@@ -275,6 +275,27 @@ async def run_client_credentials_basic(server_url: str) -> None:
 async def run_auth_code_client(server_url: str) -> None:
     """Authorization code flow (default for auth/* scenarios)."""
     callback_handler = ConformanceOAuthCallbackHandler()
+    storage = InMemoryTokenStorage()
+
+    # Check for pre-registered client credentials from context
+    context_json = os.environ.get("MCP_CONFORMANCE_CONTEXT")
+    if context_json:
+        try:
+            context = json.loads(context_json)
+            client_id = context.get("client_id")
+            client_secret = context.get("client_secret")
+            if client_id:
+                await storage.set_client_info(
+                    OAuthClientInformationFull(
+                        client_id=client_id,
+                        client_secret=client_secret,
+                        redirect_uris=[AnyUrl("http://localhost:3000/callback")],
+                        token_endpoint_auth_method="client_secret_basic" if client_secret else "none",
+                    )
+                )
+                logger.debug(f"Pre-loaded client credentials: client_id={client_id}")
+        except json.JSONDecodeError:
+            logger.exception("Failed to parse MCP_CONFORMANCE_CONTEXT")
 
     oauth_auth = OAuthClientProvider(
         server_url=server_url,
@@ -284,7 +305,7 @@ async def run_auth_code_client(server_url: str) -> None:
             grant_types=["authorization_code", "refresh_token"],
             response_types=["code"],
         ),
-        storage=InMemoryTokenStorage(),
+        storage=storage,
         redirect_handler=callback_handler.handle_redirect,
         callback_handler=callback_handler.handle_callback,
         client_metadata_url="https://conformance-test.local/client-metadata.json",
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
@@ -42,4 +42,4 @@ jobs:
         with:
           node-version: 24
       - run: uv sync --frozen --all-extras --package mcp
-      - run: npx @modelcontextprotocol/conformance@0.1.10 client --command 'uv run --frozen python .github/actions/conformance/client.py' --suite all
+      - run: npx @modelcontextprotocol/conformance@0.1.13 client --command 'uv run --frozen python .github/actions/conformance/client.py' --suite all
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -29,6 +29,9 @@ This document contains critical information about working with this codebase. Fo
    - IMPORTANT: The `tests/client/test_client.py` is the most well designed test file. Follow its patterns.
    - IMPORTANT: Be minimal, and focus on E2E tests: Use the `mcp.client.Client` whenever possible.
 
+Test files mirror the source tree: `src/mcp/client/streamable_http.py` → `tests/client/test_streamable_http.py`
+Add tests to the existing file for that module.
+
 - For commits fixing bugs or adding features based on user reports add:
 
   ```bash
diff --git a/examples/clients/simple-auth-client/pyproject.toml b/examples/clients/simple-auth-client/pyproject.toml
@@ -4,7 +4,7 @@ version = "0.1.0"
 description = "A simple OAuth client for the MCP simple-auth server"
 readme = "README.md"
 requires-python = ">=3.10"
-authors = [{ name = "Anthropic" }]
+authors = [{ name = "Model Context Protocol a Series of LF Projects, LLC." }]
 keywords = ["mcp", "oauth", "client", "auth"]
 license = { text = "MIT" }
 classifiers = [
diff --git a/examples/clients/simple-chatbot/pyproject.toml b/examples/clients/simple-chatbot/pyproject.toml
@@ -4,7 +4,7 @@ version = "0.1.0"
 description = "A simple CLI chatbot using the Model Context Protocol (MCP)"
 readme = "README.md"
 requires-python = ">=3.10"
-authors = [{ name = "Edoardo Cilia" }]
+authors = [{ name = "Model Context Protocol a Series of LF Projects, LLC." }]
 keywords = ["mcp", "llm", "chatbot", "cli"]
 license = { text = "MIT" }
 classifiers = [
diff --git a/examples/clients/simple-task-client/pyproject.toml b/examples/clients/simple-task-client/pyproject.toml
@@ -4,7 +4,7 @@ version = "0.1.0"
 description = "A simple MCP client demonstrating task polling"
 readme = "README.md"
 requires-python = ">=3.10"
-authors = [{ name = "Anthropic, PBC." }]
+authors = [{ name = "Model Context Protocol a Series of LF Projects, LLC." }]
 keywords = ["mcp", "llm", "tasks", "client"]
 license = { text = "MIT" }
 classifiers = [
diff --git a/examples/clients/simple-task-interactive-client/pyproject.toml b/examples/clients/simple-task-interactive-client/pyproject.toml
@@ -4,7 +4,7 @@ version = "0.1.0"
 description = "A simple MCP client demonstrating interactive task responses"
 readme = "README.md"
 requires-python = ">=3.10"
-authors = [{ name = "Anthropic, PBC." }]
+authors = [{ name = "Model Context Protocol a Series of LF Projects, LLC." }]
 keywords = ["mcp", "llm", "tasks", "client", "elicitation", "sampling"]
 license = { text = "MIT" }
 classifiers = [
diff --git a/examples/clients/sse-polling-client/pyproject.toml b/examples/clients/sse-polling-client/pyproject.toml
@@ -4,7 +4,7 @@ version = "0.1.0"
 description = "Demo client for SSE polling with auto-reconnect"
 readme = "README.md"
 requires-python = ">=3.10"
-authors = [{ name = "Anthropic, PBC." }]
+authors = [{ name = "Model Context Protocol a Series of LF Projects, LLC." }]
 keywords = ["mcp", "sse", "polling", "client"]
 license = { text = "MIT" }
 dependencies = ["click>=8.2.0", "mcp"]
diff --git a/examples/servers/everything-server/pyproject.toml b/examples/servers/everything-server/pyproject.toml
@@ -4,7 +4,7 @@ version = "0.1.0"
 description = "Comprehensive MCP server implementing all protocol features for conformance testing"
 readme = "README.md"
 requires-python = ">=3.10"
-authors = [{ name = "Anthropic, PBC." }]
+authors = [{ name = "Model Context Protocol a Series of LF Projects, LLC." }]
 keywords = ["mcp", "llm", "automation", "conformance", "testing"]
 license = { text = "MIT" }
 dependencies = ["anyio>=4.5", "click>=8.2.0", "httpx>=0.27", "mcp", "starlette", "uvicorn"]
diff --git a/examples/servers/simple-auth/pyproject.toml b/examples/servers/simple-auth/pyproject.toml
@@ -4,7 +4,7 @@ version = "0.1.0"
 description = "A simple MCP server demonstrating OAuth authentication"
 readme = "README.md"
 requires-python = ">=3.10"
-authors = [{ name = "Anthropic, PBC." }]
+authors = [{ name = "Model Context Protocol a Series of LF Projects, LLC." }]
 license = { text = "MIT" }
 dependencies = [
     "anyio>=4.5",
diff --git a/examples/servers/simple-pagination/pyproject.toml b/examples/servers/simple-pagination/pyproject.toml
@@ -4,11 +4,7 @@ version = "0.1.0"
 description = "A simple MCP server demonstrating pagination for tools, resources, and prompts"
 readme = "README.md"
 requires-python = ">=3.10"
-authors = [{ name = "Anthropic, PBC." }]
-maintainers = [
-    { name = "David Soria Parra", email = "davidsp@anthropic.com" },
-    { name = "Justin Spahr-Summers", email = "justin@anthropic.com" },
-]
+authors = [{ name = "Model Context Protocol a Series of LF Projects, LLC." }]
 keywords = ["mcp", "llm", "automation", "pagination", "cursor"]
 license = { text = "MIT" }
 classifiers = [
diff --git a/examples/servers/simple-prompt/pyproject.toml b/examples/servers/simple-prompt/pyproject.toml
@@ -4,11 +4,7 @@ version = "0.1.0"
 description = "A simple MCP server exposing a customizable prompt"
 readme = "README.md"
 requires-python = ">=3.10"
-authors = [{ name = "Anthropic, PBC." }]
-maintainers = [
-    { name = "David Soria Parra", email = "davidsp@anthropic.com" },
-    { name = "Justin Spahr-Summers", email = "justin@anthropic.com" },
-]
+authors = [{ name = "Model Context Protocol a Series of LF Projects, LLC." }]
 keywords = ["mcp", "llm", "automation", "web", "fetch"]
 license = { text = "MIT" }
 classifiers = [
diff --git a/examples/servers/simple-resource/pyproject.toml b/examples/servers/simple-resource/pyproject.toml
@@ -4,11 +4,7 @@ version = "0.1.0"
 description = "A simple MCP server exposing sample text resources"
 readme = "README.md"
 requires-python = ">=3.10"
-authors = [{ name = "Anthropic, PBC." }]
-maintainers = [
-    { name = "David Soria Parra", email = "davidsp@anthropic.com" },
-    { name = "Justin Spahr-Summers", email = "justin@anthropic.com" },
-]
+authors = [{ name = "Model Context Protocol a Series of LF Projects, LLC." }]
 keywords = ["mcp", "llm", "automation", "web", "fetch"]
 license = { text = "MIT" }
 classifiers = [
diff --git a/examples/servers/simple-streamablehttp-stateless/pyproject.toml b/examples/servers/simple-streamablehttp-stateless/pyproject.toml
@@ -4,7 +4,7 @@ version = "0.1.0"
 description = "A simple MCP server exposing a StreamableHttp transport in stateless mode"
 readme = "README.md"
 requires-python = ">=3.10"
-authors = [{ name = "Anthropic, PBC." }]
+authors = [{ name = "Model Context Protocol a Series of LF Projects, LLC." }]
 keywords = ["mcp", "llm", "automation", "web", "fetch", "http", "streamable", "stateless"]
 license = { text = "MIT" }
 dependencies = ["anyio>=4.5", "click>=8.2.0", "httpx>=0.27", "mcp", "starlette", "uvicorn"]
diff --git a/examples/servers/simple-streamablehttp/pyproject.toml b/examples/servers/simple-streamablehttp/pyproject.toml
@@ -4,7 +4,7 @@ version = "0.1.0"
 description = "A simple MCP server exposing a StreamableHttp transport for testing"
 readme = "README.md"
 requires-python = ">=3.10"
-authors = [{ name = "Anthropic, PBC." }]
+authors = [{ name = "Model Context Protocol a Series of LF Projects, LLC." }]
 keywords = ["mcp", "llm", "automation", "web", "fetch", "http", "streamable"]
 license = { text = "MIT" }
 dependencies = ["anyio>=4.5", "click>=8.2.0", "httpx>=0.27", "mcp", "starlette", "uvicorn"]
diff --git a/examples/servers/simple-task-interactive/pyproject.toml b/examples/servers/simple-task-interactive/pyproject.toml
@@ -4,7 +4,7 @@ version = "0.1.0"
 description = "A simple MCP server demonstrating interactive tasks (elicitation & sampling)"
 readme = "README.md"
 requires-python = ">=3.10"
-authors = [{ name = "Anthropic, PBC." }]
+authors = [{ name = "Model Context Protocol a Series of LF Projects, LLC." }]
 keywords = ["mcp", "llm", "tasks", "elicitation", "sampling"]
 license = { text = "MIT" }
 classifiers = [
diff --git a/examples/servers/simple-task/pyproject.toml b/examples/servers/simple-task/pyproject.toml
@@ -4,7 +4,7 @@ version = "0.1.0"
 description = "A simple MCP server demonstrating tasks"
 readme = "README.md"
 requires-python = ">=3.10"
-authors = [{ name = "Anthropic, PBC." }]
+authors = [{ name = "Model Context Protocol a Series of LF Projects, LLC." }]
 keywords = ["mcp", "llm", "tasks"]
 license = { text = "MIT" }
 classifiers = [
diff --git a/examples/servers/simple-tool/pyproject.toml b/examples/servers/simple-tool/pyproject.toml
@@ -4,11 +4,7 @@ version = "0.1.0"
 description = "A simple MCP server exposing a website fetching tool"
 readme = "README.md"
 requires-python = ">=3.10"
-authors = [{ name = "Anthropic, PBC." }]
-maintainers = [
-    { name = "David Soria Parra", email = "davidsp@anthropic.com" },
-    { name = "Justin Spahr-Summers", email = "justin@anthropic.com" },
-]
+authors = [{ name = "Model Context Protocol a Series of LF Projects, LLC." }]
 keywords = ["mcp", "llm", "automation", "web", "fetch"]
 license = { text = "MIT" }
 classifiers = [
diff --git a/examples/servers/sse-polling-demo/pyproject.toml b/examples/servers/sse-polling-demo/pyproject.toml
@@ -4,7 +4,7 @@ version = "0.1.0"
 description = "Demo server showing SSE polling with close_sse_stream for long-running tasks"
 readme = "README.md"
 requires-python = ">=3.10"
-authors = [{ name = "Anthropic, PBC." }]
+authors = [{ name = "Model Context Protocol a Series of LF Projects, LLC." }]
 keywords = ["mcp", "sse", "polling", "streamable", "http"]
 license = { text = "MIT" }
 dependencies = ["anyio>=4.5", "click>=8.2.0", "httpx>=0.27", "mcp", "starlette", "uvicorn"]
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,10 +4,9 @@ dynamic = ["version"]
 description = "Model Context Protocol SDK"
 readme = "README.md"
 requires-python = ">=3.10"
-authors = [{ name = "Anthropic, PBC." }]
+authors = [{ name = "Model Context Protocol a Series of LF Projects, LLC." }]
 maintainers = [
     { name = "David Soria Parra", email = "davidsp@anthropic.com" },
-    { name = "Justin Spahr-Summers", email = "justin@anthropic.com" },
     { name = "Marcelo Trylesinski", email = "marcelotryle@gmail.com" },
     { name = "Max Isbey", email = "maxisbey@anthropic.com" },
     { name = "Felix Weinberger", email = "fweinberger@anthropic.com" }
diff --git a/src/mcp/client/auth/_oauth_401_flow.py b/src/mcp/client/auth/_oauth_401_flow.py
@@ -37,6 +37,8 @@ class _OAuth401FlowProvider(Protocol):
     @property
     def context(self) -> Any: ...  # pragma: lax no cover
 
+    async def _validate_resource_match(self, prm: "ProtectedResourceMetadata") -> None: ...  # pragma: lax no cover
+
     async def _perform_authorization(self) -> httpx.Request: ...  # pragma: lax no cover
 
     async def _handle_token_response(self, response: httpx.Response) -> None: ...  # pragma: lax no cover
@@ -68,6 +70,7 @@ async def oauth_401_flow_generator(
     ctx = provider.context
 
     if initial_prm is not None:
+        await provider._validate_resource_match(initial_prm)  # type: ignore[reportPrivateUsage]
         ctx.protected_resource_metadata = initial_prm
         if initial_prm.authorization_servers:
             ctx.auth_server_url = str(initial_prm.authorization_servers[0])
@@ -84,6 +87,7 @@ async def oauth_401_flow_generator(
 
             prm = await handle_protected_resource_response(discovery_response)
             if prm:
+                await provider._validate_resource_match(prm)  # type: ignore[reportPrivateUsage]
                 ctx.protected_resource_metadata = prm
                 assert len(prm.authorization_servers) > 0
                 ctx.auth_server_url = str(prm.authorization_servers[0])
diff --git a/src/mcp/client/auth/oauth2.py b/src/mcp/client/auth/oauth2.py
@@ -229,6 +229,7 @@ def __init__(
         timeout: float = 300.0,
         client_metadata_url: str | None = None,
         fixed_client_info: OAuthClientInformationFull | None = None,
+        validate_resource_url: Callable[[str, str | None], Awaitable[None]] | None = None,
     ):
         """Initialize OAuth2 authentication.
 
@@ -243,6 +244,12 @@ def __init__(
                 advertises client_id_metadata_document_supported=true, this URL will be
                 used as the client_id instead of performing dynamic client registration.
                 Must be a valid HTTPS URL with a non-root pathname.
+            fixed_client_info: If provided, use these client credentials (client_id/client_secret) instead of dynamic
+                client registration or URL-based client ID. Required for client_credentials flow.
+            validate_resource_url: Optional callback to override resource URL validation.
+                Called with (server_url, prm_resource) where prm_resource is the resource
+                from Protected Resource Metadata (or None if not present). If not provided,
+                default validation rejects mismatched resources per RFC 8707.
 
         Raises:
             ValueError: If client_metadata_url is provided but not a valid HTTPS URL
@@ -264,6 +271,7 @@ def __init__(
             client_metadata_url=client_metadata_url,
         )
         self._fixed_client_info = fixed_client_info
+        self._validate_resource_url_callback = validate_resource_url
         if fixed_client_info is not None:
             # In multi-protocol OAuth flow, we may drive oauth_401_flow_generator directly
             # without calling _initialize(); ensure client_info is available upfront.
@@ -510,6 +518,7 @@ async def run_authentication(
         """
         self.context.protocol_version = protocol_version
         if protected_resource_metadata is not None:
+            await self._validate_resource_match(protected_resource_metadata)
             self.context.protected_resource_metadata = protected_resource_metadata
             if protected_resource_metadata.authorization_servers:
                 self.context.auth_server_url = str(protected_resource_metadata.authorization_servers[0])
@@ -524,6 +533,7 @@ async def run_authentication(
                     discovery_response = await http_client.send(discovery_request)
                     prm = await handle_protected_resource_response(discovery_response)
                     if prm:
+                        await self._validate_resource_match(prm)
                         self.context.protected_resource_metadata = prm
                         if prm.authorization_servers:
                             self.context.auth_server_url = str(prm.authorization_servers[0])
@@ -597,6 +607,26 @@ async def _handle_oauth_metadata_response(self, response: httpx.Response) -> Non
         metadata = OAuthMetadata.model_validate_json(content)
         self.context.oauth_metadata = metadata
 
+    async def _validate_resource_match(self, prm: ProtectedResourceMetadata) -> None:
+        """Validate that PRM resource matches the server URL per RFC 8707."""
+        prm_resource = str(prm.resource) if prm.resource else None
+
+        if self._validate_resource_url_callback is not None:
+            await self._validate_resource_url_callback(self.context.server_url, prm_resource)
+            return
+
+        if not prm_resource:
+            return  # pragma: no cover
+        default_resource = resource_url_from_server_url(self.context.server_url)
+        # Normalize: Pydantic AnyHttpUrl adds trailing slash to root URLs
+        # (e.g. "https://example.com/") while resource_url_from_server_url may not.
+        if not default_resource.endswith("/"):
+            default_resource += "/"
+        if not prm_resource.endswith("/"):
+            prm_resource += "/"
+        if not check_resource_allowed(requested_resource=default_resource, configured_resource=prm_resource):
+            raise OAuthFlowError(f"Protected resource {prm_resource} does not match expected {default_resource}")
+
     async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.Request, httpx.Response]:
         """HTTPX auth flow integration."""
         async with self.context.lock:
diff --git a/src/mcp/client/streamable_http.py b/src/mcp/client/streamable_http.py
diff --git a/src/mcp/types/jsonrpc.py b/src/mcp/types/jsonrpc.py
diff --git a/tests/client/test_auth.py b/tests/client/test_auth.py
diff --git a/tests/client/test_notification_response.py b/tests/client/test_notification_response.py
diff --git a/uv.lock b/uv.lock
