add cimd test and negative test

Author: pcarleton

examples/clients/typescript/auth-test.ts

@@ -2,10 +2,18 @@
 
 import { Client } from '@modelcontextprotocol/sdk/client/index.js';
 import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
-import { withOAuthRetry } from './helpers/withOAuthRetry.js';
+import { withOAuthRetry, handle401 } from './helpers/withOAuthRetry.js';
 import { runAsCli } from './helpers/cliRunner.js';
 import { logger } from './helpers/logger.js';
 
+/**
+ * Fixed client metadata URL for CIMD conformance tests.
+ * When server supports client_id_metadata_document_supported, this URL
+ * will be used as the client_id instead of doing dynamic registration.
+ */
+const CIMD_CLIENT_METADATA_URL =
+  'https://conformance-test.local/client-metadata.json';
+
 /**
  * Well-behaved auth client that follows all OAuth protocols correctly.
  */
@@ -17,7 +25,9 @@ export async function runClient(serverUrl: string): Promise<void> {
 
   const oauthFetch = withOAuthRetry(
     'test-auth-client',
-    new URL(serverUrl)
+    new URL(serverUrl),
+    handle401,
+    CIMD_CLIENT_METADATA_URL
   )(fetch);
 
   const transport = new StreamableHTTPClientTransport(new URL(serverUrl), {

examples/clients/typescript/helpers/ConformanceOAuthProvider.ts

@@ -27,13 +27,11 @@ export class ConformanceOAuthProvider implements OAuthClientProvider {
     return this._clientMetadata;
   }
 
+  get clientMetadataUrl(): string | undefined {
+    return this._clientMetadataUrl?.toString();
+  }
+
   clientInformation(): OAuthClientInformation | undefined {
-    if (this._clientMetadataUrl) {
-      console.log('Using client ID metadata URL');
-      return {
-        client_id: this._clientMetadataUrl.toString()
-      };
-    }
     return this._clientInformation;
   }
 

examples/clients/typescript/helpers/withOAuthRetry.ts

@@ -60,14 +60,16 @@ export const handle401 = async (
 export const withOAuthRetry = (
   clientName: string,
   baseUrl?: string | URL,
-  handle401Fn: typeof handle401 = handle401
+  handle401Fn: typeof handle401 = handle401,
+  clientMetadataUrl?: string
 ): Middleware => {
   const provider = new ConformanceOAuthProvider(
     'http://localhost:3000/callback',
     {
       client_name: clientName,
       redirect_uris: ['http://localhost:3000/callback']
-    }
+    },
+    clientMetadataUrl
   );
   return (next: FetchLike) => {
     return async (

src/scenarios/client/auth/helpers/createAuthServer.ts

@@ -10,13 +10,15 @@ export interface AuthServerOptions {
   loggingEnabled?: boolean;
   routePrefix?: string;
   scopesSupported?: string[];
+  clientIdMetadataDocumentSupported?: boolean;
   tokenVerifier?: MockTokenVerifier;
   onTokenRequest?: (requestData: {
     scope?: string;
     grantType: string;
     timestamp: string;
   }) => { token: string; scopes: string[] };
   onAuthorizationRequest?: (requestData: {
+    clientId?: string;
     scope?: string;
     timestamp: string;
   }) => void;
@@ -33,6 +35,7 @@ export function createAuthServer(
     loggingEnabled = true,
     routePrefix = '',
     scopesSupported,
+    clientIdMetadataDocumentSupported,
     tokenVerifier,
     onTokenRequest,
     onAuthorizationRequest
@@ -93,6 +96,12 @@ export function createAuthServer(
       metadata.scopes_supported = scopesSupported;
     }
 
+    // Add client_id_metadata_document_supported if provided
+    if (clientIdMetadataDocumentSupported !== undefined) {
+      metadata.client_id_metadata_document_supported =
+        clientIdMetadataDocumentSupported;
+    }
+
     // Add OpenID Configuration specific fields
     if (isOpenIdConfiguration) {
       metadata.jwks_uri = `${getAuthBaseUrl()}/.well-known/jwks.json`;
@@ -123,6 +132,7 @@ export function createAuthServer(
 
     if (onAuthorizationRequest) {
       onAuthorizationRequest({
+        clientId: req.query.client_id as string | undefined,
         scope: scopeParam,
         timestamp
       });

src/scenarios/client/auth/index.test.ts

@@ -5,6 +5,7 @@ import {
 } from './test_helpers/testClient.js';
 import { runClient as goodClient } from '../../../../examples/clients/typescript/auth-test.js';
 import { runClient as badPrmClient } from '../../../../examples/clients/typescript/auth-test-bad-prm.js';
+import { runClient as noCimdClient } from '../../../../examples/clients/typescript/auth-test-no-cimd.js';
 import { runClient as ignoreScopeClient } from '../../../../examples/clients/typescript/auth-test-ignore-scope.js';
 import { runClient as partialScopesClient } from '../../../../examples/clients/typescript/auth-test-partial-scopes.js';
 import { runClient as ignore403Client } from '../../../../examples/clients/typescript/auth-test-ignore-403.js';
@@ -76,4 +77,11 @@ describe('Negative tests', () => {
       'scope-step-up-escalation'
     ]);
   });
+
+  test('client uses DCR instead of CIMD when server supports it', async () => {
+    const runner = new InlineClientRunner(noCimdClient);
+    await runClientAgainstScenario(runner, 'auth/basic-cimd', [
+      'cimd-client-id-used'
+    ]);
+  });
 });

src/scenarios/client/auth/index.ts

@@ -1,5 +1,6 @@
 import { Scenario } from '../../../types';
 import { AuthBasicDCRScenario } from './basic-dcr.js';
+import { AuthBasicCIMDScenario } from './basic-cimd.js';
 import {
   AuthBasicMetadataVar1Scenario,
   AuthBasicMetadataVar2Scenario,
@@ -18,6 +19,7 @@ import {
 
 export const authScenariosList: Scenario[] = [
   new AuthBasicDCRScenario(),
+  new AuthBasicCIMDScenario(),
   new AuthBasicMetadataVar1Scenario(),
   new AuthBasicMetadataVar2Scenario(),
   new AuthBasicMetadataVar3Scenario(),

src/scenarios/client/auth/spec-references.ts

@@ -52,5 +52,13 @@ export const SpecReferences: { [key: string]: SpecReference } = {
   MCP_AUTH_ERROR_HANDLING: {
     id: 'MCP-Auth-error-handling',
     url: 'https://modelcontextprotocol.io/specification/draft/basic/authorization#error-handling'
+  },
+  MCP_CLIENT_ID_METADATA_DOCUMENTS: {
+    id: 'MCP-Client-ID-Metadata-Documents',
+    url: 'https://modelcontextprotocol.io/specification/draft/basic/authorization#client-id-metadata-documents'
+  },
+  IETF_CIMD: {
+    id: 'IETF-OAuth-Client-ID-Metadata-Document',
+    url: 'https://datatracker.ietf.org/doc/html/draft-ietf-oauth-client-id-metadata-document-00'
   }
 };