ClientCredentialsOAuthProvider: Missing client_id in token request body for client_secret_post

[Noravee]

Initial Checks

• I confirm that I'm using the latest version of MCP Python SDK
• I confirm that I searched for my issue in https://github.com/modelcontextprotocol/python-sdk/issues before opening this issue

Description

Bug: Missing client_id in token request body for client_secret_post authentication

Description

When using token_endpoint_auth_method="client_secret_post" with the ClientCredentialsOAuthProvider, the token exchange request is missing the required client_id parameter in the request body, causing authentication to fail.

Root Cause

In ClientCredentialsOAuthProvider._exchange_token_client_credentials(), the initial token_data dictionary only includes grant_type:

token_data: dict[str, Any] = {
    "grant_type": "client_credentials",
}

When prepare_token_auth() is called with token_endpoint_auth_method="client_secret_post", it correctly adds client_secret to the body, but client_id is never added.

Per RFC 6749 Section 2.3.1, the client_secret_post method requires both client_id and client_secret in the request body.

Expected Behavior

Token requests using client_secret_post should include both client_id and client_secret in the request body.

Actual Behavior

Only client_secret is included in the request body, causing the OAuth token endpoint to reject the request with an authentication error.

Proposed Fix

Modify _exchange_token_client_credentials() to include client_id in the initial token data:

token_data: dict[str, Any] = {
    "grant_type": "client_credentials",
    "client_id": self.context.client_info.client_id,
}

This ensures client_id is present for for client_secret_post.

Example Code

Python & MCP Python SDK

python==3.14.2
mcp==1.26.0