Resolve merge conflicts and retain OAuth grant support

Author: SoldierSacha

src/mcp/client/auth/oauth2.py

@@ -431,67 +431,7 @@ def _select_scopes(self, init_response: httpx.Response) -> None:
             # Priority 3: Omit scope parameter
             self.context.client_metadata.scope = None
 
-#<<<<<<< main
     # Discovery and registration helpers provided by BaseOAuthProvider
-#=======
-    def _get_discovery_urls(self) -> list[str]:
-        """Generate ordered list of (url, type) tuples for discovery attempts."""
-        urls: list[str] = []
-        auth_server_url = self.context.auth_server_url or self.context.server_url
-        parsed = urlparse(auth_server_url)
-        base_url = f"{parsed.scheme}://{parsed.netloc}"
-
-        # RFC 8414: Path-aware OAuth discovery
-        if parsed.path and parsed.path != "/":
-            oauth_path = f"/.well-known/oauth-authorization-server{parsed.path.rstrip('/')}"
-            urls.append(urljoin(base_url, oauth_path))
-
-        # OAuth root fallback
-        urls.append(urljoin(base_url, "/.well-known/oauth-authorization-server"))
-
-        # RFC 8414 section 5: Path-aware OIDC discovery
-        # See https://www.rfc-editor.org/rfc/rfc8414.html#section-5
-        if parsed.path and parsed.path != "/":
-            oidc_path = f"/.well-known/openid-configuration{parsed.path.rstrip('/')}"
-            urls.append(urljoin(base_url, oidc_path))
-
-        # OIDC 1.0 fallback (appends to full URL per OIDC spec)
-        oidc_fallback = f"{auth_server_url.rstrip('/')}/.well-known/openid-configuration"
-        urls.append(oidc_fallback)
-
-        return urls
-
-    async def _register_client(self) -> httpx.Request | None:
-        """Build registration request or skip if already registered."""
-        if self.context.client_info:
-            return None
-
-        if self.context.oauth_metadata and self.context.oauth_metadata.registration_endpoint:
-            registration_url = str(self.context.oauth_metadata.registration_endpoint)
-        else:
-            auth_base_url = self.context.get_authorization_base_url(self.context.server_url)
-            registration_url = urljoin(auth_base_url, "/register")
-
-        registration_data = self.context.client_metadata.model_dump(by_alias=True, mode="json", exclude_none=True)
-
-        return httpx.Request(
-            "POST", registration_url, json=registration_data, headers={"Content-Type": "application/json"}
-        )
-
-    async def _handle_registration_response(self, response: httpx.Response) -> None:
-        """Handle registration response."""
-        if response.status_code not in (200, 201):
-            await response.aread()
-            raise OAuthRegistrationError(f"Registration failed: {response.status_code} {response.text}")
-
-        try:
-            content = await response.aread()
-            client_info = OAuthClientInformationFull.model_validate_json(content)
-            self.context.client_info = client_info
-            await self.context.storage.set_client_info(client_info)
-        except ValidationError as e:  # pragma: no cover
-            raise OAuthRegistrationError(f"Invalid registration response: {e}")
-#>>>>>>> main
 
     async def _perform_authorization(self) -> httpx.Request:
         """Perform the authorization flow."""
@@ -644,13 +584,8 @@ async def _refresh_token(self) -> httpx.Request:
         if self.context.should_include_resource_param(self.context.protocol_version):
             refresh_data["resource"] = self.context.get_resource_url()  # RFC 8707
 
-#<<<<<<< main
         headers = {"Content-Type": "application/x-www-form-urlencoded"}
         self._apply_client_auth(refresh_data, headers, self.context.client_info)
-#=======
-        if self.context.client_info.client_secret:  # pragma: no branch
-            refresh_data["client_secret"] = self.context.client_info.client_secret
-#>>>>>>> main
 
         return httpx.Request("POST", token_url, data=refresh_data, headers=headers)
 
@@ -734,13 +669,10 @@ async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.
                     self._select_scopes(response)
 
                     # Step 3: Discover OAuth metadata (with fallback for legacy servers)
-#<<<<<<< main
-                    discovery_urls = self._get_discovery_urls(self.context.auth_server_url or self.context.server_url)
+                    discovery_urls = self._get_discovery_urls(
+                        self.context.auth_server_url or self.context.server_url
+                    )
                     for url in discovery_urls:
-#=======
-                    discovery_urls = self._get_discovery_urls()
-                    for url in discovery_urls:  # pragma: no branch
-#>>>>>>> main
                         oauth_metadata_request = self._create_oauth_metadata_request(url)
                         oauth_metadata_response = yield oauth_metadata_request
 

src/mcp/server/auth/handlers/token.py

@@ -288,97 +288,15 @@ async def handle(self, request: Request):
 
         match token_request:
             case AuthorizationCodeRequest():
-#<<<<<<< main
                 result = await self._handle_authorization_code(client_info, token_request)
-#=======
-                auth_code = await self.provider.load_authorization_code(client_info, token_request.code)
-                if auth_code is None or auth_code.client_id != token_request.client_id:
-                    # if code belongs to different client, pretend it doesn't exist
-                    return self.response(
-                        TokenErrorResponse(
-                            error="invalid_grant",
-                            error_description="authorization code does not exist",
-                        )
-                    )
-
-                # make auth codes expire after a deadline
-                # see https://datatracker.ietf.org/doc/html/rfc6749#section-10.5
-                if auth_code.expires_at < time.time():
-                    return self.response(
-                        TokenErrorResponse(
-                            error="invalid_grant",
-                            error_description="authorization code has expired",
-                        )
-                    )
-
-                # verify redirect_uri doesn't change between /authorize and /tokens
-                # see https://datatracker.ietf.org/doc/html/rfc6749#section-10.6
-                if auth_code.redirect_uri_provided_explicitly:
-                    authorize_request_redirect_uri = auth_code.redirect_uri
-                else:  # pragma: no cover
-                    authorize_request_redirect_uri = None
-
-                # Convert both sides to strings for comparison to handle AnyUrl vs string issues
-                token_redirect_str = str(token_request.redirect_uri) if token_request.redirect_uri is not None else None
-                auth_redirect_str = (
-                    str(authorize_request_redirect_uri) if authorize_request_redirect_uri is not None else None
-                )
-#>>>>>>> main
 
             case ClientCredentialsRequest():
                 result = await self._handle_client_credentials(client_info, token_request)
 
             case TokenExchangeRequest():
                 result = await self._handle_token_exchange(client_info, token_request)
 
-#<<<<<<< main
             case RefreshTokenRequest():
                 result = await self._handle_refresh_token(client_info, token_request)
 
         return self.response(result)
-#=======
-            case RefreshTokenRequest():  # pragma: no cover
-                refresh_token = await self.provider.load_refresh_token(client_info, token_request.refresh_token)
-                if refresh_token is None or refresh_token.client_id != token_request.client_id:
-                    # if token belongs to different client, pretend it doesn't exist
-                    return self.response(
-                        TokenErrorResponse(
-                            error="invalid_grant",
-                            error_description="refresh token does not exist",
-                        )
-                    )
-
-                if refresh_token.expires_at and refresh_token.expires_at < time.time():
-                    # if the refresh token has expired, pretend it doesn't exist
-                    return self.response(
-                        TokenErrorResponse(
-                            error="invalid_grant",
-                            error_description="refresh token has expired",
-                        )
-                    )
-
-                # Parse scopes if provided
-                scopes = token_request.scope.split(" ") if token_request.scope else refresh_token.scopes
-
-                for scope in scopes:
-                    if scope not in refresh_token.scopes:
-                        return self.response(
-                            TokenErrorResponse(
-                                error="invalid_scope",
-                                error_description=(f"cannot request scope `{scope}` not provided by refresh token"),
-                            )
-                        )
-
-                try:
-                    # Exchange refresh token for new tokens
-                    tokens = await self.provider.exchange_refresh_token(client_info, refresh_token, scopes)
-                except TokenError as e:
-                    return self.response(
-                        TokenErrorResponse(
-                            error=e.error,
-                            error_description=e.error_description,
-                        )
-                    )
-
-        return self.response(TokenSuccessResponse(root=tokens))
-#>>>>>>> main

tests/server/fastmcp/resources/test_file_resources.py

@@ -100,8 +100,6 @@ async def test_missing_file_error(self, temp_file: Path):
         with pytest.raises(ValueError, match="Error reading file"):
             await resource.read()
 
-#<<<<<<< main
-
 @pytest.mark.skipif(os.name == "nt", reason="File permissions behave differently on Windows")
 @pytest.mark.anyio
 async def test_permission_error(temp_file: Path):
@@ -119,20 +117,3 @@ async def test_permission_error(temp_file: Path):
             await resource.read()
     finally:
         temp_file.chmod(0o644)  # Restore permissions
-#=======
-    @pytest.mark.skipif(os.name == "nt", reason="File permissions behave differently on Windows")
-    @pytest.mark.anyio
-    async def test_permission_error(self, temp_file: Path):  # pragma: no cover
-        """Test reading a file without permissions."""
-        temp_file.chmod(0o000)  # Remove all permissions
-        try:
-            resource = FileResource(
-                uri=FileUrl(temp_file.as_uri()),
-                name="test",
-                path=temp_file,
-            )
-            with pytest.raises(ValueError, match="Error reading file"):
-                await resource.read()
-        finally:
-            temp_file.chmod(0o644)  # Restore permissions
-#>>>>>>> main