Add conformance tests for PKCE requirements #77
Description
Summary
The MCP authorization spec has multiple PKCE requirements, but the conformance test suite does not adequately test PKCE behavior. Current tests only log the presence of code_challenge but do not verify clients check for PKCE support or validate the actual PKCE implementation.
Missing Coverage
Check: pkce-metadata-supported
Spec: "MCP clients MUST verify the presence of code_challenge_methods_supported"
Verify client checks AS metadata contains code_challenge_methods_supported.
Check: pkce-metadata-refused (requires different server - no PKCE support)
Spec: "If code_challenge_methods_supported is absent, the authorization server does not support PKCE and MCP clients MUST refuse to proceed."
Negative test: AS metadata omits code_challenge_methods_supported → client refuses to proceed.
Check: pkce-s256-used
Spec: "MCP clients MUST use the S256 code challenge method when technically capable"
Verify client sends code_challenge_method=S256 in authorization request.
Check: pkce-code-challenge-sent
Spec: "To mitigate this, MCP clients MUST implement PKCE according to OAuth 2.1 Section 7.5.2"
Verify client sends code_challenge parameter in authorization request.
Check: pkce-code-verifier-sent
Spec: "To mitigate this, MCP clients MUST implement PKCE according to OAuth 2.1 Section 7.5.2"
Verify client sends code_verifier parameter in token request.
Check: pkce-verifier-matches-challenge
Spec: "To mitigate this, MCP clients MUST implement PKCE according to OAuth 2.1 Section 7.5.2"
Verify BASE64URL(SHA256(code_verifier)) === code_challenge (S256 validation).
All Spec Requirements (Authorization Code Protection section)
| Keyword | Statement |
|---|---|
| MUST | To mitigate this, MCP clients MUST implement PKCE according to OAuth 2.1 Section 7.5.2 |
| MUST | MUST verify PKCE support before proceeding with authorization. |
| MUST | MCP clients MUST use the S256 code challenge method when technically capable |
| MUST | MCP clients MUST rely on authorization server metadata to verify this capability |
| MUST | If code_challenge_methods_supported is absent, the authorization server does not support PKCE and MCP clients MUST refuse to proceed. |
| MUST | MCP clients MUST verify the presence of code_challenge_methods_supported |
| MUST | If the field is absent, MCP clients MUST refuse to proceed. |
| MUST | Authorization servers providing OpenID Connect Discovery 1.0 MUST include code_challenge_methods_supported in their metadata |
Current State
march-spec-backcompat.ts:102 logs presence but doesn't validate:
code_challenge: req.query.code_challenge ? 'present' : 'missing',helpers/createAuthServer.ts:114 advertises PKCE but doesn't enforce:
code_challenge_methods_supported: ['S256'],Spec References
- Authorization Code Protection
- OAuth 2.1 Section 7.5.2
- RFC 7636