Validate grant_types on registration

praboud-ant · praboud-ant · commit 50673c636074 · 2025-03-19T11:01:47.000-07:00
diff --git a/src/mcp/server/auth/handlers/register.py b/src/mcp/server/auth/handlers/register.py
@@ -75,6 +75,17 @@ async def handle(self, request: Request) -> Response:
                     ),
                     status_code=400,
                 )
+        if set(client_metadata.grant_types) != set(
+            ["authorization_code", "refresh_token"]
+        ):
+            return PydanticJSONResponse(
+                content=RegistrationErrorResponse(
+                    error="invalid_client_metadata",
+                    error_description="grant_types must be authorization_code "
+                    "and refresh_token",
+                ),
+                status_code=400,
+            )
 
         client_id_issued_at = int(time.time())
         client_secret_expires_at = (
diff --git a/tests/server/fastmcp/auth/test_auth_integration.py b/tests/server/fastmcp/auth/test_auth_integration.py
@@ -407,27 +407,6 @@ async def test_token_validation_error(self, test_client: httpx.AsyncClient):
             "error_description" in error_response
         )  # Contains validation error messages
 
-    @pytest.mark.anyio
-    @pytest.mark.parametrize(
-        "registered_client", [{"grant_types": ["authorization_code"]}], indirect=True
-    )
-    async def test_token_unsupported_grant_type(self, test_client, registered_client):
-        """Test token endpoint error - unsupported grant type."""
-        # Try refresh_token grant with client that only supports authorization_code
-        response = await test_client.post(
-            "/token",
-            data={
-                "grant_type": "refresh_token",
-                "client_id": registered_client["client_id"],
-                "client_secret": registered_client["client_secret"],
-                "refresh_token": "some_refresh_token",
-            },
-        )
-        assert response.status_code == 400
-        error_response = response.json()
-        assert error_response["error"] == "unsupported_grant_type"
-        assert "supported grant types" in error_response["error_description"]
-
     @pytest.mark.anyio
     async def test_token_invalid_auth_code(
         self, test_client, registered_client, pkce_challenge
@@ -1001,6 +980,29 @@ async def test_client_registration_default_scopes(
         # Check that default scopes were applied
         assert registered_client.scope == "read write"
 
+    @pytest.mark.anyio
+    async def test_client_registration_invalid_grant_type(
+        self, test_client: httpx.AsyncClient
+    ):
+        client_metadata = {
+            "redirect_uris": ["https://client.example.com/callback"],
+            "client_name": "Test Client",
+            "grant_types": ["authorization_code"],
+        }
+
+        response = await test_client.post(
+            "/register",
+            json=client_metadata,
+        )
+        assert response.status_code == 400
+        error_data = response.json()
+        assert "error" in error_data
+        assert error_data["error"] == "invalid_client_metadata"
+        assert (
+            error_data["error_description"]
+            == "grant_types must be authorization_code and refresh_token"
+        )
+
 
 class TestFastMCPWithAuth:
     """Test FastMCP server with authentication."""
