Make refresh_token grant type optional in DCR handler (#1651)

gazzadownunder · claude · web-flow · commit d52937b39cf4 · 2026-01-05T13:41:45.000Z
Co-authored-by: Claude &lt;noreply@anthropic.com&gt;
diff --git a/src/mcp/server/auth/handlers/register.py b/src/mcp/server/auth/handlers/register.py
@@ -73,11 +73,11 @@ async def handle(self, request: Request) -> Response:
                     ),
                     status_code=400,
                 )
-        if not {"authorization_code", "refresh_token"}.issubset(set(client_metadata.grant_types)):
+        if "authorization_code" not in client_metadata.grant_types:
             return PydanticJSONResponse(
                 content=RegistrationErrorResponse(
                     error="invalid_client_metadata",
-                    error_description="grant_types must be authorization_code and refresh_token",
+                    error_description="grant_types must include 'authorization_code'",
                 ),
                 status_code=400,
             )
diff --git a/tests/server/fastmcp/auth/test_auth_integration.py b/tests/server/fastmcp/auth/test_auth_integration.py
@@ -939,19 +939,35 @@ async def test_client_registration_default_scopes(
         assert registered_client.scope == "read write"
 
     @pytest.mark.anyio
-    async def test_client_registration_invalid_grant_type(self, test_client: httpx.AsyncClient):
+    async def test_client_registration_with_authorization_code_only(self, test_client: httpx.AsyncClient):
+        """Test that registration succeeds with only authorization_code (refresh_token is optional per RFC 7591)."""
         client_metadata = {
             "redirect_uris": ["https://client.example.com/callback"],
             "client_name": "Test Client",
             "grant_types": ["authorization_code"],
         }
 
+        response = await test_client.post("/register", json=client_metadata)
+        assert response.status_code == 201
+        client_info = response.json()
+        assert "client_id" in client_info
+        assert client_info["grant_types"] == ["authorization_code"]
+
+    @pytest.mark.anyio
+    async def test_client_registration_missing_authorization_code(self, test_client: httpx.AsyncClient):
+        """Test that registration fails when authorization_code grant type is missing."""
+        client_metadata = {
+            "redirect_uris": ["https://client.example.com/callback"],
+            "client_name": "Test Client",
+            "grant_types": ["refresh_token"],
+        }
+
         response = await test_client.post("/register", json=client_metadata)
         assert response.status_code == 400
         error_data = response.json()
         assert "error" in error_data
         assert error_data["error"] == "invalid_client_metadata"
-        assert error_data["error_description"] == "grant_types must be authorization_code and refresh_token"
+        assert error_data["error_description"] == "grant_types must include 'authorization_code'"
 
     @pytest.mark.anyio
     async def test_client_registration_with_additional_grant_type(self, test_client: httpx.AsyncClient):

Original file line number	Diff line number	Diff line change
`@@ -73,11 +73,11 @@ async def handle(self, request: Request) -> Response:`
`73`	`73`	`),`
`74`	`74`	`status_code=400,`
`75`	`75`	`)`
`76`		`- if not {"authorization_code", "refresh_token"}.issubset(set(client_metadata.grant_types)):`
	`76`	`+ if "authorization_code" not in client_metadata.grant_types:`
`77`	`77`	`return PydanticJSONResponse(`
`78`	`78`	`content=RegistrationErrorResponse(`
`79`	`79`	`error="invalid_client_metadata",`
`80`		`- error_description="grant_types must be authorization_code and refresh_token",`
	`80`	`+ error_description="grant_types must include 'authorization_code'",`
`81`	`81`	`),`
`82`	`82`	`status_code=400,`
`83`	`83`	`)`