Add client credentials conformance tests (JWT and Basic auth) #55
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit: |
…eration Implements SEP-1046 client credentials conformance tests: - auth/client-credentials-jwt: Tests private_key_jwt authentication - auth/client-credentials-basic: Tests client_secret_basic authentication Key changes: - Generate EC P-256 keypair dynamically at test start (no hardcoded keys) - Pass credentials to client via MCP_CONFORMANCE_CONTEXT environment variable - Add context field to ScenarioUrls interface for scenario-specific data - Update client runner to pass context as env var to spawned client process The MCP_CONFORMANCE_CONTEXT env var contains a JSON object with: - client_id: The expected client identifier - private_key_pem: PEM-encoded private key (for JWT scenarios) - client_secret: Client secret (for basic auth scenarios) - signing_algorithm: JWT signing algorithm (defaults to ES256)
pcarleton
force-pushed
the
pcarleton/client-credentials-jwt
branch
from
efc379a to
f4526ff
Compare
- Generate EC keypair with extractable: true so private key can be exported and passed to clients via MCP_CONFORMANCE_CONTEXT - Fix client_secret_basic scenario to use authorizationHeader param instead of non-existent headers object
Add OAUTH_2_1_CLIENT_CREDENTIALS spec reference pointing to OAuth 2.1 draft section 4.2 (Client Credentials Grant) and include it in all client_credentials conformance checks for both JWT and basic auth flows. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
felixweinberger
approved these changes
Nov 25, 2025
Collaborator
felixweinberger
left a comment
felixweinberger
left a comment
There was a problem hiding this comment.
LGTM, one comment around iss highlighted by our friend Claude that seems easy enough to add + valuable given it's a MUST in RFC 7523? Not sure if the goal here is to be fully compliant with that RFC though or to just take elements of it.
| }); | ||
|
|
||
| // Verify sub claim matches expected client_id | ||
| if (payload.sub !== CONFORMANCE_TEST_CLIENT_ID) { |
Collaborator
There was a problem hiding this comment.
nit: Should we assert on payload.iss as well?
Looks like iss is required by this RFC: https://datatracker.ietf.org/doc/html/rfc7523#section-3
Per RFC 7523, verify that the JWT issuer (iss) claim matches the expected client_id, in addition to the existing sub claim check. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
tobinsouth
added a commit
to tobinsouth/conformance
that referenced
this pull request
Nov 26, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds two new conformance test scenarios for SEP-1046 OAuth client_credentials flow:
auth/client-credentials-jwt: Tests client_credentials grant withprivate_key_jwtauthentication (RFC 7523 Section 2.2)auth/client-credentials-basic: Tests client_credentials grant withclient_secret_basicauthenticationWell-known test credentials
Both scenarios use well-known test credentials that SDK implementations should use:
For JWT (private_key_jwt):
conformance-test-clientclient-credentials.tsFor Basic auth (client_secret_basic):
conformance-test-clientconformance-test-secretChanges
ClientCredentialsJwtScenario- verifies JWT assertion signature and claimsClientCredentialsBasicScenario- verifies HTTP Basic auth headercreateAuthServerto pass Authorization header toonTokenRequestcallbackmockTokenVerifierto acceptcc-token-*prefixNote
The existing TypeScript test client uses authorization_code flow, so these scenarios will fail with it. SDK implementations need to add client_credentials support to pass these tests.