Include client_id in client_credentials token request body#2213
Open
rameshreddy-adutla wants to merge 1 commit intomodelcontextprotocol:mainfrom
Open
Conversation
ClientCredentialsOAuthProvider._exchange_token_client_credentials() was missing client_id in the token_data dict. Per RFC 6749 Section 2.3.1, when using client_secret_post authentication, both client_id and client_secret must be in the request body. The prepare_token_auth() method only adds client_secret, so client_id was never sent. This caused authentication failures when using client_secret_post with OAuth providers that require client_id in the body. Fixes modelcontextprotocol#2128 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Include
client_idin the token request body forClientCredentialsOAuthProvider.Problem
ClientCredentialsOAuthProvider._exchange_token_client_credentials()was missingclient_idin thetoken_datadict. Per RFC 6749 §2.3.1, when usingclient_secret_postauthentication, bothclient_idandclient_secretmust be in the request body.The
prepare_token_auth()method only addsclient_secretforclient_secret_post, soclient_idwas never sent — causing authentication failures with OAuth providers that require it.Note: even for
client_secret_basic, havingclient_idin the body is harmless per RFC 6749, and many providers expect it.Fix
Add
client_idfromself._fixed_client_infoto the initialtoken_datadict, consistent with how other token exchange methods in the SDK include it (lines 336, 389, 436 ofoauth2.py).Testing
All 13 existing tests pass. Added explicit
client_idassertions to bothtest_exchange_token_client_credentialsandtest_exchange_token_without_scopestests.Fixes #2128