Support client_secret_basic in client_credentials flow

Extend RFC7523OAuthClientProvider._exchange_token_client_credentials()
to support both private_key_jwt (with JWT assertion) and client_secret_basic
(with HTTP Basic auth) authentication methods for the client_credentials
grant type.

The method now checks token_endpoint_auth_method:
- private_key_jwt: Adds JWT client_assertion (requires jwt_parameters)
- client_secret_basic/client_secret_post/none: Uses context.prepare_token_auth()

Also add a conformance client scenario for auth/client-credentials-basic
that uses static well-known test credentials.

Author: pcarleton

examples/clients/conformance-auth-client/mcp_conformance_auth_client/__init__.py

@@ -10,8 +10,9 @@
     python -m mcp_conformance_auth_client <scenario> <server-url>
 
 Scenarios:
-    auth/*                    - Authorization code flow scenarios (default behavior)
-    auth/client-credentials-jwt - Client credentials with JWT authentication (SEP-1046)
+    auth/*                      - Authorization code flow scenarios (default behavior)
+    auth/client-credentials-jwt   - Client credentials with JWT authentication (SEP-1046)
+    auth/client-credentials-basic - Client credentials with client_secret_basic
 """
 
 import asyncio
@@ -40,6 +41,9 @@
 # The client_id expected by the conformance test
 CONFORMANCE_TEST_CLIENT_ID = "conformance-test-client"
 
+# Static credentials for client_secret_basic flow
+CONFORMANCE_CLIENT_SECRET = "conformance-test-secret"
+
 # Set up logging to stderr (stdout is for conformance test output)
 logging.basicConfig(
     level=logging.DEBUG,
@@ -160,9 +164,9 @@ async def run_authorization_code_client(server_url: str) -> None:
     await _run_session(server_url, oauth_auth)
 
 
-async def run_client_credentials_client(server_url: str) -> None:
+async def run_client_credentials_jwt_client(server_url: str) -> None:
     """
-    Run the conformance test client with client credentials flow (SEP-1046).
+    Run the conformance test client with client credentials flow using private_key_jwt (SEP-1046).
 
     This function:
     1. Connects to the MCP server with OAuth client_credentials grant
@@ -171,7 +175,7 @@ async def run_client_credentials_client(server_url: str) -> None:
     4. Lists available tools
     5. Calls a test tool
     """
-    logger.debug(f"Starting conformance auth client (client_credentials) for {server_url}")
+    logger.debug(f"Starting conformance auth client (client_credentials_jwt) for {server_url}")
 
     # Create JWT parameters for private_key_jwt authentication
     jwt_params = JWTParameters(
@@ -199,6 +203,46 @@ async def run_client_credentials_client(server_url: str) -> None:
     await _run_session(server_url, oauth_auth)
 
 
+async def run_client_credentials_basic_client(server_url: str) -> None:
+    """
+    Run the conformance test client with client credentials flow using client_secret_basic.
+
+    This function:
+    1. Connects to the MCP server with OAuth client_credentials grant
+    2. Uses client_secret_basic authentication with static credentials
+    3. Initializes the session
+    4. Lists available tools
+    5. Calls a test tool
+    """
+    logger.debug(f"Starting conformance auth client (client_credentials_basic) for {server_url}")
+
+    # Create storage pre-populated with static client credentials
+    storage = InMemoryTokenStorage()
+    await storage.set_client_info(
+        OAuthClientInformationFull(
+            client_id=CONFORMANCE_TEST_CLIENT_ID,
+            client_secret=CONFORMANCE_CLIENT_SECRET,
+            redirect_uris=[AnyUrl("http://localhost:0/unused")],
+            token_endpoint_auth_method="client_secret_basic",
+        )
+    )
+
+    # Create OAuth authentication handler for client_credentials flow with basic auth
+    oauth_auth = RFC7523OAuthClientProvider(
+        server_url=server_url,
+        client_metadata=OAuthClientMetadata(
+            client_name=CONFORMANCE_TEST_CLIENT_ID,
+            redirect_uris=[AnyUrl("http://localhost:0/unused")],  # Required but unused
+            grant_types=["client_credentials"],
+            response_types=[],
+            token_endpoint_auth_method="client_secret_basic",
+        ),
+        storage=storage,
+    )
+
+    await _run_session(server_url, oauth_auth)
+
+
 async def _run_session(server_url: str, oauth_auth: OAuthClientProvider) -> None:
     """Common session logic for all OAuth flows."""
     # Connect using streamable HTTP transport with OAuth
@@ -233,16 +277,19 @@ def main() -> None:
         print(f"Usage: {sys.argv[0]} <scenario> <server-url>", file=sys.stderr)
         print("", file=sys.stderr)
         print("Scenarios:", file=sys.stderr)
-        print("  auth/*                      - Authorization code flow (default)", file=sys.stderr)
-        print("  auth/client-credentials-jwt - Client credentials with JWT auth (SEP-1046)", file=sys.stderr)
+        print("  auth/*                        - Authorization code flow (default)", file=sys.stderr)
+        print("  auth/client-credentials-jwt   - Client credentials with JWT auth (SEP-1046)", file=sys.stderr)
+        print("  auth/client-credentials-basic - Client credentials with client_secret_basic", file=sys.stderr)
         sys.exit(1)
 
     scenario = sys.argv[1]
     server_url = sys.argv[2]
 
     try:
         if scenario == "auth/client-credentials-jwt":
-            asyncio.run(run_client_credentials_client(server_url))
+            asyncio.run(run_client_credentials_jwt_client(server_url))
+        elif scenario == "auth/client-credentials-basic":
+            asyncio.run(run_client_credentials_basic_client(server_url))
         else:
             # Default to authorization code flow for all other auth/* scenarios
             asyncio.run(run_authorization_code_client(server_url))

src/mcp/client/auth/extensions/client_credentials.py

@@ -123,24 +123,35 @@ def _add_client_authentication_jwt(self, *, token_data: dict[str, Any]):  # prag
         token_data["audience"] = self.context.get_resource_url()
 
     async def _exchange_token_client_credentials(self) -> httpx.Request:
-        """Build token exchange request for client_credentials grant with private_key_jwt auth.
+        """Build token exchange request for client_credentials grant.
 
         This implements SEP-1046: OAuth Client Credentials Extension for MCP.
-        Uses RFC 7523 Section 2.2 for client authentication via JWT assertion.
+        Supports both:
+        - private_key_jwt: Uses RFC 7523 Section 2.2 for client authentication via JWT assertion
+        - client_secret_basic: Uses HTTP Basic auth with client_id:client_secret
         """
         if not self.context.client_info:
             raise OAuthFlowError("Missing client info")  # pragma: no cover
-        if not self.jwt_parameters:
-            raise OAuthFlowError("Missing JWT parameters for client_credentials flow")  # pragma: no cover
         if not self.context.oauth_metadata:
             raise OAuthTokenError("Missing OAuth metadata")  # pragma: no cover
 
         token_data: dict[str, Any] = {
             "grant_type": "client_credentials",
         }
 
-        # Add JWT client authentication (RFC 7523 Section 2.2)
-        self._add_client_authentication_jwt(token_data=token_data)
+        headers: dict[str, str] = {"Content-Type": "application/x-www-form-urlencoded"}
+
+        # Add client authentication based on auth method
+        auth_method = self.context.client_metadata.token_endpoint_auth_method
+        if auth_method == "private_key_jwt":
+            # Add JWT client authentication (RFC 7523 Section 2.2)
+            if not self.jwt_parameters:
+                raise OAuthFlowError("Missing JWT parameters for private_key_jwt flow")  # pragma: no cover
+            self._add_client_authentication_jwt(token_data=token_data)
+        else:
+            # Use standard auth methods (client_secret_basic, client_secret_post, none)
+            # via the context's prepare_token_auth helper
+            token_data, headers = self.context.prepare_token_auth(token_data, headers)
 
         if self.context.should_include_resource_param(self.context.protocol_version):  # pragma: no branch
             token_data["resource"] = self.context.get_resource_url()
@@ -149,9 +160,7 @@ async def _exchange_token_client_credentials(self) -> httpx.Request:
             token_data["scope"] = self.context.client_metadata.scope
 
         token_url = self._get_token_endpoint()
-        return httpx.Request(
-            "POST", token_url, data=token_data, headers={"Content-Type": "application/x-www-form-urlencoded"}
-        )
+        return httpx.Request("POST", token_url, data=token_data, headers=headers)
 
     async def _exchange_token_jwt_bearer(self) -> httpx.Request:
         """Build token exchange request for JWT bearer grant (RFC 7523 Section 2.1).