modelcontextprotocol
diff --git a/‎.gitattributes‎
Lines changed: 3 additions & 0 deletions b/‎.gitattributes‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 16 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎.prettierrc.json‎
Lines changed: 1 addition & 0 deletions b/‎.prettierrc.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎examples/clients/typescript/auth-test-bad-prm.ts‎
Lines changed: 4 additions & 4 deletions b/‎examples/clients/typescript/auth-test-bad-prm.ts‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎examples/clients/typescript/auth-test-ignore-403.ts‎
Lines changed: 4 additions & 4 deletions b/‎examples/clients/typescript/auth-test-ignore-403.ts‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎examples/clients/typescript/auth-test-ignore-scope.ts‎
Lines changed: 4 additions & 4 deletions b/‎examples/clients/typescript/auth-test-ignore-scope.ts‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎examples/clients/typescript/auth-test-no-cimd.ts‎
Lines changed: 51 additions & 0 deletions b/‎examples/clients/typescript/auth-test-no-cimd.ts‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎examples/clients/typescript/auth-test-no-retry-limit.ts‎
Lines changed: 113 additions & 0 deletions b/‎examples/clients/typescript/auth-test-no-retry-limit.ts‎
Lines changed: 113 additions & 0 deletions
diff --git a/‎examples/clients/typescript/auth-test-partial-scopes.ts‎
Lines changed: 4 additions & 4 deletions b/‎examples/clients/typescript/auth-test-partial-scopes.ts‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎examples/clients/typescript/auth-test.ts‎
Lines changed: 14 additions & 4 deletions b/‎examples/clients/typescript/auth-test.ts‎
Lines changed: 14 additions & 4 deletions
@@ -0,0 +1,3 @@
+# Enforce LF line endings for all text files
+* text=auto eol=lf
+
@@ -0,0 +1,16 @@
+version: 2
+
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
@@ -1,4 +1,5 @@
 {
+  "endOfLine": "lf",
   "singleQuote": true,
   "trailingComma": "none",
   "overrides": [
 
@@ -7,10 +7,10 @@ import {
   UnauthorizedError
 } from '@modelcontextprotocol/sdk/client/auth.js';
 import type { FetchLike } from '@modelcontextprotocol/sdk/shared/transport.js';
-import { withOAuthRetry } from './helpers/withOAuthRetry.js';
-import { ConformanceOAuthProvider } from './helpers/ConformanceOAuthProvider.js';
-import { runAsCli } from './helpers/cliRunner.js';
-import { logger } from './helpers/logger.js';
+import { withOAuthRetry } from './helpers/withOAuthRetry';
+import { ConformanceOAuthProvider } from './helpers/ConformanceOAuthProvider';
+import { runAsCli } from './helpers/cliRunner';
+import { logger } from './helpers/logger';
 
 /**
  * Broken client that always uses root-based PRM discovery.
 
@@ -8,10 +8,10 @@ import {
   UnauthorizedError
 } from '@modelcontextprotocol/sdk/client/auth.js';
 import type { FetchLike } from '@modelcontextprotocol/sdk/shared/transport.js';
-import { withOAuthRetry } from './helpers/withOAuthRetry.js';
-import { ConformanceOAuthProvider } from './helpers/ConformanceOAuthProvider.js';
-import { runAsCli } from './helpers/cliRunner.js';
-import { logger } from './helpers/logger.js';
+import { withOAuthRetry } from './helpers/withOAuthRetry';
+import { ConformanceOAuthProvider } from './helpers/ConformanceOAuthProvider';
+import { runAsCli } from './helpers/cliRunner';
+import { logger } from './helpers/logger';
 
 /**
  * Broken client that only responds to 401, not 403.
 
@@ -8,10 +8,10 @@ import {
   UnauthorizedError
 } from '@modelcontextprotocol/sdk/client/auth.js';
 import type { FetchLike } from '@modelcontextprotocol/sdk/shared/transport.js';
-import { withOAuthRetry } from './helpers/withOAuthRetry.js';
-import { ConformanceOAuthProvider } from './helpers/ConformanceOAuthProvider.js';
-import { runAsCli } from './helpers/cliRunner.js';
-import { logger } from './helpers/logger.js';
+import { withOAuthRetry } from './helpers/withOAuthRetry';
+import { ConformanceOAuthProvider } from './helpers/ConformanceOAuthProvider';
+import { runAsCli } from './helpers/cliRunner';
+import { logger } from './helpers/logger';
 
 /**
  * Broken client that ignores the scope from WWW-Authenticate header.
 
@@ -0,0 +1,51 @@
+#!/usr/bin/env node
+
+import { Client } from '@modelcontextprotocol/sdk/client/index.js';
+import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
+import { withOAuthRetry } from './helpers/withOAuthRetry';
+import { runAsCli } from './helpers/cliRunner';
+import { logger } from './helpers/logger';
+
+/**
+ * Non-compliant client that doesn't use CIMD (Client ID Metadata Document).
+ *
+ * This client intentionally omits the clientMetadataUrl parameter when the server
+ * advertises client_id_metadata_document_supported=true. A compliant client should
+ * use CIMD when the server supports it, but this client falls back to DCR (Dynamic
+ * Client Registration) instead.
+ *
+ * Used to test that conformance checks detect clients that don't properly
+ * implement CIMD support.
+ */
+export async function runClient(serverUrl: string): Promise<void> {
+  const client = new Client(
+    { name: 'test-auth-client-no-cimd', version: '1.0.0' },
+    { capabilities: {} }
+  );
+
+  // Non-compliant: omitting clientMetadataUrl causes fallback to DCR
+  // A compliant client would pass a clientMetadataUrl here when the server
+  // advertises client_id_metadata_document_supported=true
+  const oauthFetch = withOAuthRetry(
+    'test-auth-client-no-cimd',
+    new URL(serverUrl)
+  )(fetch);
+
+  const transport = new StreamableHTTPClientTransport(new URL(serverUrl), {
+    fetch: oauthFetch
+  });
+
+  await client.connect(transport);
+  logger.debug('Connected to MCP server (without CIMD)');
+
+  await client.listTools();
+  logger.debug('Successfully listed tools');
+
+  await client.callTool({ name: 'test-tool', arguments: {} });
+  logger.debug('Successfully called tool');
+
+  await transport.close();
+  logger.debug('Connection closed successfully');
+}
+
+runAsCli(runClient, import.meta.url, 'auth-test-no-cimd <server-url>');
@@ -0,0 +1,113 @@
+#!/usr/bin/env node
+
+import { Client } from '@modelcontextprotocol/sdk/client/index.js';
+import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
+import {
+  auth,
+  extractWWWAuthenticateParams,
+  UnauthorizedError
+} from '@modelcontextprotocol/sdk/client/auth.js';
+import type { FetchLike } from '@modelcontextprotocol/sdk/shared/transport.js';
+import type { Middleware } from '@modelcontextprotocol/sdk/client/middleware.js';
+import { ConformanceOAuthProvider } from './helpers/ConformanceOAuthProvider';
+import { runAsCli } from './helpers/cliRunner';
+import { logger } from './helpers/logger';
+
+/**
+ * Broken client that retries auth infinitely without any retry limit.
+ * BUG: Does not implement retry limits, causing infinite auth loops.
+ */
+
+const withOAuthRetryNoLimit = (
+  clientName: string,
+  baseUrl?: string | URL
+): Middleware => {
+  const provider = new ConformanceOAuthProvider(
+    'http://localhost:3000/callback',
+    {
+      client_name: clientName,
+      redirect_uris: ['http://localhost:3000/callback']
+    }
+  );
+
+  return (next: FetchLike) => {
+    return async (
+      input: string | URL,
+      init?: RequestInit
+    ): Promise<Response> => {
+      const makeRequest = async (): Promise<Response> => {
+        const headers = new Headers(init?.headers);
+        const tokens = await provider.tokens();
+        if (tokens) {
+          headers.set('Authorization', `Bearer ${tokens.access_token}`);
+        }
+        return await next(input, { ...init, headers });
+      };
+
+      let response = await makeRequest();
+
+      // BUG: No retry limit - keeps retrying on every 401/403
+      while (response.status === 401 || response.status === 403) {
+        const serverUrl =
+          baseUrl ||
+          (typeof input === 'string' ? new URL(input).origin : input.origin);
+
+        const { resourceMetadataUrl, scope } =
+          extractWWWAuthenticateParams(response);
+        let result = await auth(provider, {
+          serverUrl,
+          resourceMetadataUrl,
+          scope,
+          fetchFn: next
+        });
+
+        if (result === 'REDIRECT') {
+          const authorizationCode = await provider.getAuthCode();
+          result = await auth(provider, {
+            serverUrl,
+            resourceMetadataUrl,
+            scope,
+            authorizationCode,
+            fetchFn: next
+          });
+          if (result !== 'AUTHORIZED') {
+            throw new UnauthorizedError(
+              `Authentication failed with result: ${result}`
+            );
+          }
+        }
+
+        response = await makeRequest();
+      }
+
+      return response;
+    };
+  };
+};
+
+export async function runClient(serverUrl: string): Promise<void> {
+  const client = new Client(
+    { name: 'test-auth-client-no-retry-limit', version: '1.0.0' },
+    { capabilities: {} }
+  );
+
+  const oauthFetch = withOAuthRetryNoLimit(
+    'test-auth-client-no-retry-limit',
+    new URL(serverUrl)
+  )(fetch);
+
+  const transport = new StreamableHTTPClientTransport(new URL(serverUrl), {
+    fetch: oauthFetch
+  });
+
+  await client.connect(transport);
+  logger.debug('✅ Successfully connected to MCP server');
+
+  await client.listTools();
+  logger.debug('✅ Successfully listed tools');
+
+  await transport.close();
+  logger.debug('✅ Connection closed successfully');
+}
+
+runAsCli(runClient, import.meta.url, 'auth-test-no-retry-limit <server-url>');
@@ -8,10 +8,10 @@ import {
   UnauthorizedError
 } from '@modelcontextprotocol/sdk/client/auth.js';
 import type { FetchLike } from '@modelcontextprotocol/sdk/shared/transport.js';
-import { withOAuthRetry } from './helpers/withOAuthRetry.js';
-import { ConformanceOAuthProvider } from './helpers/ConformanceOAuthProvider.js';
-import { runAsCli } from './helpers/cliRunner.js';
-import { logger } from './helpers/logger.js';
+import { withOAuthRetry } from './helpers/withOAuthRetry';
+import { ConformanceOAuthProvider } from './helpers/ConformanceOAuthProvider';
+import { runAsCli } from './helpers/cliRunner';
+import { logger } from './helpers/logger';
 
 /**
  * Broken client that only requests a subset of scopes.
 
@@ -2,9 +2,17 @@
 
 import { Client } from '@modelcontextprotocol/sdk/client/index.js';
 import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
-import { withOAuthRetry } from './helpers/withOAuthRetry.js';
-import { runAsCli } from './helpers/cliRunner.js';
-import { logger } from './helpers/logger.js';
+import { withOAuthRetry, handle401 } from './helpers/withOAuthRetry';
+import { runAsCli } from './helpers/cliRunner';
+import { logger } from './helpers/logger';
+
+/**
+ * Fixed client metadata URL for CIMD conformance tests.
+ * When server supports client_id_metadata_document_supported, this URL
+ * will be used as the client_id instead of doing dynamic registration.
+ */
+const CIMD_CLIENT_METADATA_URL =
+  'https://conformance-test.local/client-metadata.json';
 
 /**
  * Well-behaved auth client that follows all OAuth protocols correctly.
@@ -17,7 +25,9 @@ export async function runClient(serverUrl: string): Promise<void> {
 
   const oauthFetch = withOAuthRetry(
     'test-auth-client',
-    new URL(serverUrl)
+    new URL(serverUrl),
+    handle401,
+    CIMD_CLIENT_METADATA_URL
   )(fetch);
 
   const transport = new StreamableHTTPClientTransport(new URL(serverUrl), {
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# Enforce LF line endings for all text files`
	`2`	`+* text=auto eol=lf`
	`3`	`+`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`{`
	`2`	`+ "endOfLine": "lf",`
`2`	`3`	`"singleQuote": true,`
`3`	`4`	`"trailingComma": "none",`
`4`	`5`	`"overrides": [`