fix: respect token_endpoint_auth_method=none when client_secret exists #1846
+72
−3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When token_endpoint_auth_method is set to "none", the ClientAuthenticator should not require a client_secret on the request, even if a client_secret is stored for that client. This can happen if a client was previously registered with a secret but later changed to public authentication. The fix adds a check for token_endpoint_auth_method != "none" before validating the client_secret requirement. Fixes modelcontextprotocol#1842 Github-Issue: modelcontextprotocol#1842 Reported-by: aiwebb
There was a problem hiding this comment.
Pull request overview
This PR fixes a bug in client authentication where token_endpoint_auth_method="none" was not properly honored when a client had a stored client_secret. The fix ensures that clients using the "none" authentication method can successfully authenticate without providing credentials, regardless of whether they have a secret stored.
- Modified authentication logic to respect
token_endpoint_auth_method="none"even whenclient_secretexists in storage - Added integration test to verify the fix for the edge case scenario
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
src/mcp/server/auth/middleware/client_auth.py |
Added condition to skip client secret validation when token_endpoint_auth_method="none" |
tests/server/fastmcp/auth/test_auth_integration.py |
Added integration test verifying that "none" auth method works even with a stored client secret |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fix
ClientAuthenticatorto properly honortoken_endpoint_auth_method="none"even when aclient_secretis stored for the client.Problem
When a client has
token_endpoint_auth_method="none"but also has aclient_secretstored (e.g., from a previous configuration or edge case), the authenticator incorrectly raises "Client secret is required" error.The logic was:
token_endpoint_auth_method="none"→ skip extracting credentials from request ✓client.client_secretexists → raise error if no credentials provided ✗If
token_endpoint_auth_method="none"is set, it should never check for aclient_secreton the request.Solution
Add a check for
token_endpoint_auth_method != "none"before validating the client_secret requirement: