Merge branch 'main' into main

Author: SoldierSacha

.gitignore

@@ -89,7 +89,7 @@ ipython_config.py
 # pyenv
 #   For a library or package, you might want to ignore these files since the code is
 #   intended to run in multiple environments; otherwise, check them in:
-# .python-version
+.python-version
 
 # pipenv
 #   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.

examples/servers/structured-output-lowlevel/mcp_structured_output_lowlevel/__init__.py

@@ -0,0 +1 @@
+"""Example of structured output with low-level MCP server."""

…es/servers/structured_output_lowlevel.py …p_structured_output_lowlevel/__main__.pyexamples/servers/structured_output_lowlevel.py renamed to examples/servers/structured-output-lowlevel/mcp_structured_output_lowlevel/__main__.py examples/servers/structured_output_lowlevel.py renamed to examples/servers/structured-output-lowlevel/mcp_structured_output_lowlevel/__main__.py

@@ -0,0 +1,6 @@
+[project]
+name = "mcp-structured-output-lowlevel"
+version = "0.1.0"
+description = "Example of structured output with low-level MCP server"
+requires-python = ">=3.10"
+dependencies = ["mcp"]

examples/servers/structured-output-lowlevel/pyproject.toml

@@ -303,22 +303,19 @@ def __init__(
         )
         self._initialized = False
 
-    def _extract_resource_metadata_from_www_auth(self, init_response: httpx.Response) -> str | None:
+    def _extract_field_from_www_auth(self, init_response: httpx.Response, field_name: str) -> str | None:
         """
-        Extract protected resource metadata URL from WWW-Authenticate header as per RFC9728.
+        Extract field from WWW-Authenticate header.
 
         Returns:
-            Resource metadata URL if found in WWW-Authenticate header, None otherwise
+            Field value if found in WWW-Authenticate header, None otherwise
         """
-        if not init_response or init_response.status_code != 401:
-            return None
-
         www_auth_header = init_response.headers.get("WWW-Authenticate")
         if not www_auth_header:
             return None
 
-        # Pattern matches: resource_metadata="url" or resource_metadata=url (unquoted)
-        pattern = r'resource_metadata=(?:"([^"]+)"|([^\s,]+))'
+        # Pattern matches: field_name="value" or field_name=value (unquoted)
+        pattern = rf'{field_name}=(?:"([^"]+)"|([^\s,]+))'
         match = re.search(pattern, www_auth_header)
 
         if match:
@@ -327,6 +324,27 @@ def _extract_resource_metadata_from_www_auth(self, init_response: httpx.Response
 
         return None
 
+    def _extract_resource_metadata_from_www_auth(self, init_response: httpx.Response) -> str | None:
+        """
+        Extract protected resource metadata URL from WWW-Authenticate header as per RFC9728.
+
+        Returns:
+            Resource metadata URL if found in WWW-Authenticate header, None otherwise
+        """
+        if not init_response or init_response.status_code != 401:
+            return None
+
+        return self._extract_field_from_www_auth(init_response, "resource_metadata")
+
+    def _extract_scope_from_www_auth(self, init_response: httpx.Response) -> str | None:
+        """
+        Extract scope parameter from WWW-Authenticate header as per RFC6750.
+
+        Returns:
+            Scope string if found in WWW-Authenticate header, None otherwise
+        """
+        return self._extract_field_from_www_auth(init_response, "scope")
+
     async def _discover_protected_resource(self, init_response: httpx.Response) -> httpx.Request:
         # RFC9728: Try to extract resource_metadata URL from WWW-Authenticate header of the initial response
         url = self._extract_resource_metadata_from_www_auth(init_response)
@@ -347,8 +365,32 @@ async def _handle_protected_resource_response(self, response: httpx.Response) ->
                 self.context.protected_resource_metadata = metadata
                 if metadata.authorization_servers:
                     self.context.auth_server_url = str(metadata.authorization_servers[0])
+
             except ValidationError:
                 pass
+        else:
+            raise OAuthFlowError(f"Protected Resource Metadata request failed: {response.status_code}")
+
+    def _select_scopes(self, init_response: httpx.Response) -> None:
+        """Select scopes as outlined in the 'Scope Selection Strategy in the MCP spec."""
+        # Per MCP spec, scope selection priority order:
+        # 1. Use scope from WWW-Authenticate header (if provided)
+        # 2. Use all scopes from PRM scopes_supported (if available)
+        # 3. Omit scope parameter if neither is available
+        #
+        www_authenticate_scope = self._extract_scope_from_www_auth(init_response)
+        if www_authenticate_scope is not None:
+            # Priority 1: WWW-Authenticate header scope
+            self.context.client_metadata.scope = www_authenticate_scope
+        elif (
+            self.context.protected_resource_metadata is not None
+            and self.context.protected_resource_metadata.scopes_supported is not None
+        ):
+            # Priority 2: PRM scopes_supported
+            self.context.client_metadata.scope = " ".join(self.context.protected_resource_metadata.scopes_supported)
+        else:
+            # Priority 3: Omit scope parameter
+            self.context.client_metadata.scope = None
 
     # Discovery and registration helpers provided by BaseOAuthProvider
 
@@ -508,6 +550,17 @@ def _add_auth_header(self, request: httpx.Request) -> None:
         if self.context.current_tokens and self.context.current_tokens.access_token:
             request.headers["Authorization"] = f"Bearer {self.context.current_tokens.access_token}"
 
+#<<<<<<< main
+#=======
+    def _create_oauth_metadata_request(self, url: str) -> httpx.Request:
+        return httpx.Request("GET", url, headers={MCP_PROTOCOL_VERSION: LATEST_PROTOCOL_VERSION})
+
+    async def _handle_oauth_metadata_response(self, response: httpx.Response) -> None:
+        content = await response.aread()
+        metadata = OAuthMetadata.model_validate_json(content)
+        self.context.oauth_metadata = metadata
+
+#>>>>>>> main
     async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.Request, httpx.Response]:
         """HTTPX auth flow integration."""
         async with self.context.lock:
@@ -540,8 +593,16 @@ async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.
                     discovery_response = yield discovery_request
                     await self._handle_protected_resource_response(discovery_response)
 
+#<<<<<<< main
                     # Step 2: Discover OAuth metadata (with fallback for legacy servers)
                     discovery_urls = self._get_discovery_urls(self.context.auth_server_url or self.context.server_url)
+#=======
+                    # Step 2: Apply scope selection strategy
+                    self._select_scopes(response)
+
+                    # Step 3: Discover OAuth metadata (with fallback for legacy servers)
+                    discovery_urls = self._get_discovery_urls()
+#>>>>>>> main
                     for url in discovery_urls:
                         oauth_metadata_request = self._create_oauth_metadata_request(url)
                         oauth_metadata_response = yield oauth_metadata_request
@@ -556,17 +617,22 @@ async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.
                         elif oauth_metadata_response.status_code < 400 or oauth_metadata_response.status_code >= 500:
                             break  # Non-4XX error, stop trying
 
+#<<<<<<< main
                     # Step 3: Register client if needed
                     registration_request = self._create_registration_request(self._metadata)
+#=======
+                    # Step 4: Register client if needed
+                    registration_request = await self._register_client()
+#>>>>>>> main
                     if registration_request:
                         registration_response = yield registration_request
                         await self._handle_registration_response(registration_response)
                         self.context.client_info = self._client_info
 
-                    # Step 4: Perform authorization
+                    # Step 5: Perform authorization
                     auth_code, code_verifier = await self._perform_authorization()
 
-                    # Step 5: Exchange authorization code for tokens
+                    # Step 6: Exchange authorization code for tokens
                     token_request = await self._exchange_token(auth_code, code_verifier)
                     token_response = yield token_request
                     await self._handle_token_response(token_response)
@@ -577,6 +643,7 @@ async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.
                 # Retry with new tokens
                 self._add_auth_header(request)
                 yield request
+#<<<<<<< main
 
 
 class ClientCredentialsProvider(BaseOAuthProvider):
@@ -852,3 +919,29 @@ async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.
         response = yield request
         if response.status_code == 401:
             self._current_tokens = None
+#=======
+            elif response.status_code == 403:
+                # Step 1: Extract error field from WWW-Authenticate header
+                error = self._extract_field_from_www_auth(response, "error")
+
+                # Step 2: Check if we need to step-up authorization
+                if error == "insufficient_scope":
+                    try:
+                        # Step 2a: Update the required scopes
+                        self._select_scopes(response)
+
+                        # Step 2b: Perform (re-)authorization
+                        auth_code, code_verifier = await self._perform_authorization()
+
+                        # Step 2c: Exchange authorization code for tokens
+                        token_request = await self._exchange_token(auth_code, code_verifier)
+                        token_response = yield token_request
+                        await self._handle_token_response(token_response)
+                    except Exception:
+                        logger.exception("OAuth flow error")
+                        raise
+
+                    # Retry with new tokens
+                    self._add_auth_header(request)
+                    yield request
+#>>>>>>> main

src/mcp/client/auth.py

@@ -642,13 +642,21 @@ async def _handle_message(
         raise_exceptions: bool = False,
     ):
         with warnings.catch_warnings(record=True) as w:
-            # TODO(Marcelo): We should be checking if message is Exception here.
-            match message:  # type: ignore[reportMatchNotExhaustive]
+            match message:
                 case RequestResponder(request=types.ClientRequest(root=req)) as responder:
                     with responder:
                         await self._handle_request(message, req, session, lifespan_context, raise_exceptions)
                 case types.ClientNotification(root=notify):
                     await self._handle_notification(notify)
+                case Exception():
+                    logger.error(f"Received exception from stream: {message}")
+                    await session.send_log_message(
+                        level="error",
+                        data="Internal Server Error",
+                        logger="mcp.server.exception_handler",
+                    )
+                    if raise_exceptions:
+                        raise message
 
             for warning in w:
                 logger.info("Warning: %s: %s", warning.category.__name__, warning.message)