Skip to content

Comments

Fix client secret post for client credentials auth#2140

Open
Noravee wants to merge 3 commits intomodelcontextprotocol:v1.xfrom
Noravee:fix-client-secret-post-for-client-credentials-auth
Open

Fix client secret post for client credentials auth#2140
Noravee wants to merge 3 commits intomodelcontextprotocol:v1.xfrom
Noravee:fix-client-secret-post-for-client-credentials-auth

Conversation

@Noravee
Copy link

@Noravee Noravee commented Feb 25, 2026
edited
Loading

Fixes #2128

Summary

Adds missing client_id parameter to token request body for client_secret_post authentication method in ClientCredentialsOAuthProvider.

Motivation and Context

When using token_endpoint_auth_method="client_secret_post" with the ClientCredentialsOAuthProvider, the token exchange request was missing the required client_id parameter in the request body, causing authentication to fail.

Per RFC 6749 Section 2.3.1, the client_secret_post method requires both client_id and client_secret to be included in the request body. Previously, only client_secret was being added by prepare_token_auth(), while client_id was never included.

This bug completely prevented client_secret_post authentication from working, as OAuth servers would reject requests without the client identifier.

Changes Made

  • Added client_id to the initial token_data dictionary in _exchange_token_client_credentials()
  • Added runtime validation to ensure client_info and client_id are available before building the request
  • Updated existing test to call _initialize() before authorization

How Has This Been Tested?

  • Existing unit tests pass with modifications
  • Tested both client_secret_basic and client_secret_post authentication methods

Breaking Changes

None. This is a pure bug fix that adds a required parameter that should have been present. No API changes.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

The client_id is now included in all token requests, which is:

  • Required for client_secret_post (fixing the bug)
  • Redundant but allowed for client_secret_basic (already in Authorization header)
  • Harmless for other authentication methods

This ensures compliance with OAuth 2.0 RFC 6749 and enables client_secret_post to work correctly.

@Noravee
- add client id when exchanging token
f98a32a 
- initialize provider in test_exchange_token_client_credentials and test_exchange_token_without_scopes unittests
@Noravee
make sure that client info is not None
bb4a07d
@Noravee Noravee changed the base branch from main to v1.x February 25, 2026 01:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ClientCredentialsOAuthProvider: Missing client_id in token request body for client_secret_post

1 participant

@Noravee