Skip to content

feat: reject auth servers lacking S256 PKCE support#955

Merged
DaleSeo merged 1 commit into
mainfrom
fix/oauth-pkce-enforcement
Jul 5, 2026
Merged

feat: reject auth servers lacking S256 PKCE support#955
DaleSeo merged 1 commit into
mainfrom
fix/oauth-pkce-enforcement

Conversation

@DaleSeo

@DaleSeo DaleSeo commented Jul 4, 2026

Copy link
Copy Markdown
Member

Motivation and Context

The client always sends an S256 PKCE challenge, but when an authorization server's metadata advertised code_challenge_methods_supported without S256, validate_server_metadata only warned and continued. So rmcp would start a flow the authorization server can't complete and fail confusingly mid-exchange. It now returns AuthError::PkceUnsupported up front for that case, matching TypeScript SDK. An authorization server that omits the field entirely is still allowed (it usually means the server didn't advertise PKCE, not that it lacks S256).

How Has This Been Tested?

New unit tests cover the matrix.

Breaking Changes

None. Only behavioral change.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

@github-actions github-actions Bot added T-core Core library changes T-transport Transport layer changes labels Jul 4, 2026
@DaleSeo DaleSeo force-pushed the fix/oauth-pkce-enforcement branch from 9029a36 to d46e287 Compare July 4, 2026 00:28
@DaleSeo DaleSeo self-assigned this Jul 4, 2026
@DaleSeo DaleSeo marked this pull request as ready for review July 4, 2026 00:40
@DaleSeo DaleSeo requested a review from a team as a code owner July 4, 2026 00:40
@DaleSeo DaleSeo force-pushed the fix/oauth-pkce-enforcement branch from d46e287 to f59dd43 Compare July 4, 2026 00:45
@DaleSeo DaleSeo force-pushed the fix/oauth-pkce-enforcement branch from f59dd43 to e794929 Compare July 5, 2026 12:05
@DaleSeo DaleSeo merged commit 95490fa into main Jul 5, 2026
20 checks passed
@DaleSeo DaleSeo deleted the fix/oauth-pkce-enforcement branch July 5, 2026 13:05
@github-actions github-actions Bot mentioned this pull request Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

T-core Core library changes T-transport Transport layer changes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants