Skip to content

Add 2025-03-26 OAuth backward compatibility for client conformance#1374

Merged
jeffhandley merged 6 commits intomodelcontextprotocol:mainfrom
jeffhandley:jeffhandley/backcompat
Feb 24, 2026
Merged

Add 2025-03-26 OAuth backward compatibility for client conformance#1374
jeffhandley merged 6 commits intomodelcontextprotocol:mainfrom
jeffhandley:jeffhandley/backcompat

Conversation

@jeffhandley
Copy link
Collaborator

@jeffhandley jeffhandley commented Feb 24, 2026

Implement legacy OAuth fallback so the client can authenticate against MCP servers that predate Protected Resource Metadata (RFC 9728):

  • When PRM discovery fails, synthesize minimal metadata using the MCP server's origin as the authorization server
  • When auth server metadata discovery also fails, fall back to the default endpoint paths (/authorize, /token, /register) specified by the MCP 2025-03-26 spec
  • Conditionally omit the 'resource' parameter from authorization and token requests when operating in legacy mode
  • Skip resource-match verification only for synthesized (not fetched) PRM

Enable the two previously-commented-out client conformance test scenarios:
auth/2025-03-26-oauth-metadata-backcompat
auth/2025-03-26-oauth-endpoint-fallback

@jeffhandley
Add 2025-03-26 OAuth backward compatibility for client conformance
e517f14 
Implement legacy OAuth fallback so the client can authenticate against
MCP servers that predate Protected Resource Metadata (RFC 9728):

- When PRM discovery fails, synthesize minimal metadata using the MCP
  server's origin as the authorization server
- When auth server metadata discovery also fails, fall back to the
  default endpoint paths (/authorize, /token, /register) specified by
  the MCP 2025-03-26 spec
- Conditionally omit the 'resource' parameter from authorization and
  token requests when operating in legacy mode
- Skip resource-match verification only for synthesized (not fetched) PRM

Enable the two previously-commented-out client conformance test scenarios:
  auth/2025-03-26-oauth-metadata-backcompat
  auth/2025-03-26-oauth-endpoint-fallback

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jeffhandley jeffhandley added this to the 1.0.0 (GA) milestone Feb 24, 2026
@jeffhandley jeffhandley self-assigned this Feb 24, 2026
halter73
halter73 reviewed Feb 24, 2026
View reviewed changes
Copy link
Contributor

@halter73 halter73 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@FICTURE7 With these changes, we might be able to close #1262 considering the client should just work with the legacy auth used by the Atlassian server.

jeffhandley and others added 2 commits February 23, 2026 23:52
@jeffhandley
Avoid exceptions for control flow in auth server metadata fallback
d6fcb49 
Refactor GetAuthServerMetadataAsync to accept an allowDefaultFallback
parameter and return BuildDefaultAuthServerMetadata directly instead of
throwing and catching McpException at the call site.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jeffhandley
Add unit tests for 2025-03-26 OAuth backward compatibility
1590b1f 
Add two tests to AuthTests.cs covering legacy server scenarios:

- CanAuthenticate_WithLegacyServerWithoutProtectedResourceMetadata:
  Server lacks RFC 9728 PRM but serves auth server metadata at
  well-known URLs on the MCP server origin.

- CanAuthenticate_WithLegacyServerUsingDefaultEndpointFallback:
  Server lacks both PRM and auth server metadata, forcing fallback
  to default /authorize, /token, /register endpoint paths.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jeffhandley jeffhandley requested a review from halter73 February 24, 2026 08:13
@jeffhandley jeffhandley mentioned this pull request Feb 24, 2026
Merged
9 tasks
halter73
halter73 reviewed Feb 24, 2026
View reviewed changes
jeffhandley and others added 2 commits February 24, 2026 10:35
@jeffhandley
Proxy OAuth endpoints through MCP server in legacy auth test
cd1cbc4 
Update CanAuthenticate_WithLegacyServerWithoutProtectedResourceMetadata to
use McpServerUrl for auth metadata endpoints and proxy OAuth requests to the
real OAuth server, matching the pattern used by the endpoint fallback test.

Update TestOAuthServer RequireResource=false to reject requests that include
a resource parameter, ensuring the client correctly omits it in legacy mode.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jeffhandley
Rename RequireResource to ExpectResource in TestOAuthServer
e96f4dc 
The property now rejects requests that include a resource parameter when set
to false, so ExpectResource better describes the bidirectional validation.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jeffhandley jeffhandley merged commit 4e68a4e into modelcontextprotocol:main Feb 24, 2026
7 checks passed
@jeffhandley jeffhandley deleted the jeffhandley/backcompat branch February 24, 2026 23:01
@halter73 halter73 mentioned this pull request Feb 24, 2026
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@halter73 halter73 halter73 approved these changes

@stephentoub stephentoub Awaiting requested review from stephentoub

Assignees

@jeffhandley jeffhandley

Labels

area-auth

Projects

None yet

Milestone

1.0.0 (GA)

Development

Successfully merging this pull request may close these issues.

2 participants

@jeffhandley @halter73