feat: support combined client creds and token exchange

Author: SoldierSacha

README.md

@@ -866,7 +866,7 @@ async def main():
         client_metadata=OAuthClientMetadata(
             client_name="My Client",
             redirect_uris=["http://localhost:3000/callback"],
-            grant_types=["token_exchange"],
+            grant_types=["client_credentials", "token_exchange"],
             response_types=["code"],
         ),
         storage=CustomTokenStorage(),

src/mcp/server/auth/handlers/register.py

@@ -73,6 +73,7 @@ async def handle(self, request: Request) -> Response:
             {"authorization_code", "refresh_token"},
             {"client_credentials"},
             {"token_exchange"},
+            {"client_credentials", "token_exchange"},
         ]
 
         if grant_types_set not in valid_sets:
@@ -81,7 +82,7 @@ async def handle(self, request: Request) -> Response:
                     error="invalid_client_metadata",
                     error_description=(
                         "grant_types must be authorization_code and refresh_token "
-                        "or client_credentials or token exchange"
+                        "or client_credentials or token exchange or client_credentials and token_exchange"
                     ),
                 ),
                 status_code=400,

tests/server/fastmcp/auth/test_auth_integration.py

@@ -976,7 +976,11 @@ async def test_client_registration_invalid_grant_type(self, test_client: httpx.A
         assert error_data["error"] == "invalid_client_metadata"
         assert (
             error_data["error_description"]
-            == "grant_types must be authorization_code and refresh_token or client_credentials or token exchange"
+            == (
+                "grant_types must be authorization_code and refresh_token "
+                "or client_credentials or token exchange or "
+                "client_credentials and token_exchange"
+            )
         )
 
     @pytest.mark.anyio
@@ -1336,3 +1340,33 @@ async def test_token_exchange_invalid_subject(self, test_client: httpx.AsyncClie
         assert response.status_code == 400
         data = response.json()
         assert data["error"] == "invalid_grant"
+
+    @pytest.mark.anyio
+    @pytest.mark.parametrize(
+        "registered_client",
+        [{"grant_types": ["client_credentials", "token_exchange"]}],
+        indirect=True,
+    )
+    async def test_client_credentials_and_token_exchange(self, test_client: httpx.AsyncClient, registered_client):
+        cc_response = await test_client.post(
+            "/token",
+            data={
+                "grant_type": "client_credentials",
+                "client_id": registered_client["client_id"],
+                "client_secret": registered_client["client_secret"],
+                "scope": "read write",
+            },
+        )
+        assert cc_response.status_code == 200
+
+        te_response = await test_client.post(
+            "/token",
+            data={
+                "grant_type": "token_exchange",
+                "client_id": registered_client["client_id"],
+                "client_secret": registered_client["client_secret"],
+                "subject_token": "good_token",
+                "subject_token_type": "access_token",
+            },
+        )
+        assert te_response.status_code == 200