merge with recent branch

Author: SoldierSacha

README.md

@@ -859,14 +859,14 @@ async def main():
     # instead of OAuthClientProvider.
 
     # If you already have a user token from another provider, you can
-    # exchange it for an MCP token using the token-exchange grant
+    # exchange it for an MCP token using the token_exchange grant
     # implemented by TokenExchangeProvider.
     token_exchange_auth = TokenExchangeProvider(
         server_url="https://api.example.com",
         client_metadata=OAuthClientMetadata(
             client_name="My Client",
             redirect_uris=["http://localhost:3000/callback"],
-            grant_types=["token-exchange"],
+            grant_types=["token_exchange"],
             response_types=["code"],
         ),
         storage=CustomTokenStorage(),

docs/api.md

@@ -1,5 +1,5 @@
 The Python SDK exposes the entire `mcp` package for use in your own projects.
 It includes an OAuth server implementation with support for the RFC 8693
-`token-exchange` grant type.
+`token_exchange` grant type.
 
 ::: mcp

docs/index.md

@@ -4,6 +4,6 @@ This is the MCP Server implementation in Python.
 
 It only contains the [API Reference](api.md) for the time being.
 
-The built-in OAuth server supports the RFC 8693 `token-exchange` grant type,
+The built-in OAuth server supports the RFC 8693 `token_exchange` grant type,
 allowing clients to exchange user tokens from external providers for MCP
 access tokens.

examples/servers/simple-auth/mcp_simple_auth/server.py

@@ -252,9 +252,7 @@ async def exchange_token(
         """Exchange an external token for an MCP access token."""
         raise NotImplementedError("Token exchange is not supported")
 
-    async def exchange_client_credentials(
-        self, client: OAuthClientInformationFull, scopes: list[str]
-    ) -> OAuthToken:
+    async def exchange_client_credentials(self, client: OAuthClientInformationFull, scopes: list[str]) -> OAuthToken:
         """Exchange client credentials for an access token."""
         token = f"mcp_{secrets.token_hex(32)}"
         self.tokens[token] = AccessToken(

src/mcp/client/auth.py

@@ -17,7 +17,6 @@
 import anyio
 import httpx
 
-from mcp.client.streamable_http import MCP_PROTOCOL_VERSION
 from mcp.shared.auth import (
     OAuthClientInformationFull,
     OAuthClientMetadata,
@@ -90,9 +89,7 @@ async def _discover_oauth_metadata(server_url: str) -> OAuthMetadata | None:
                     return None
                 response.raise_for_status()
                 metadata_json = response.json()
-                logger.debug(
-                    f"OAuth metadata discovered (no MCP header): {metadata_json}"
-                )
+                logger.debug(f"OAuth metadata discovered (no MCP header): {metadata_json}")
                 return OAuthMetadata.model_validate(metadata_json)
             except Exception:
                 logger.exception("Failed to discover OAuth metadata")
@@ -513,16 +510,10 @@ async def _register_oauth_client(
             auth_base_url = _get_authorization_base_url(server_url)
             registration_url = urljoin(auth_base_url, "/register")
 
-        if (
-            client_metadata.scope is None
-            and metadata
-            and metadata.scopes_supported is not None
-        ):
+        if client_metadata.scope is None and metadata and metadata.scopes_supported is not None:
             client_metadata.scope = " ".join(metadata.scopes_supported)
 
-        registration_data = client_metadata.model_dump(
-            by_alias=True, mode="json", exclude_none=True
-        )
+        registration_data = client_metadata.model_dump(by_alias=True, mode="json", exclude_none=True)
 
         async with httpx.AsyncClient() as client:
             response = await client.post(
@@ -558,9 +549,7 @@ async def _validate_token_scopes(self, token_response: OAuthToken) -> None:
             returned_scopes = set(token_response.scope.split())
             unauthorized_scopes = returned_scopes - requested_scopes
             if unauthorized_scopes:
-                raise Exception(
-                    f"Server granted unauthorized scopes: {unauthorized_scopes}."
-                )
+                raise Exception(f"Server granted unauthorized scopes: {unauthorized_scopes}.")
         else:
             granted = set(token_response.scope.split())
             logger.debug(
@@ -574,9 +563,7 @@ async def initialize(self) -> None:
 
     async def _get_or_register_client(self) -> OAuthClientInformationFull:
         if not self._client_info:
-            self._client_info = await self._register_oauth_client(
-                self.server_url, self.client_metadata, self._metadata
-            )
+            self._client_info = await self._register_oauth_client(self.server_url, self.client_metadata, self._metadata)
             await self.storage.set_client_info(self._client_info)
         return self._client_info
 
@@ -612,9 +599,7 @@ async def _request_token(self) -> None:
             )
 
         if response.status_code != 200:
-            raise Exception(
-                f"Token request failed: {response.status_code} {response.text}"
-            )
+            raise Exception(f"Token request failed: {response.status_code} {response.text}")
 
         token_response = OAuthToken.model_validate(response.json())
         await self._validate_token_scopes(token_response)
@@ -633,17 +618,13 @@ async def ensure_token(self) -> None:
                 return
             await self._request_token()
 
-    async def async_auth_flow(
-        self, request: httpx.Request
-    ) -> AsyncGenerator[httpx.Request, httpx.Response]:
+    async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.Request, httpx.Response]:
         if not self._has_valid_token():
             await self.initialize()
             await self.ensure_token()
 
         if self._current_tokens and self._current_tokens.access_token:
-            request.headers["Authorization"] = (
-                f"Bearer {self._current_tokens.access_token}"
-            )
+            request.headers["Authorization"] = f"Bearer {self._current_tokens.access_token}"
 
         response = yield request
 
@@ -688,12 +669,10 @@ async def _request_token(self) -> None:
             token_url = urljoin(auth_base_url, "/token")
 
         subject_token = await self.subject_token_supplier()
-        actor_token = (
-            await self.actor_token_supplier() if self.actor_token_supplier else None
-        )
+        actor_token = await self.actor_token_supplier() if self.actor_token_supplier else None
 
         token_data = {
-            "grant_type": "token-exchange",
+            "grant_type": "token_exchange",
             "client_id": client_info.client_id,
             "subject_token": subject_token,
             "subject_token_type": self.subject_token_type,
@@ -722,9 +701,7 @@ async def _request_token(self) -> None:
             )
 
         if response.status_code != 200:
-            raise Exception(
-                f"Token request failed: {response.status_code} {response.text}"
-            )
+            raise Exception(f"Token request failed: {response.status_code} {response.text}")
 
         token_response = OAuthToken.model_validate(response.json())
         await self._validate_token_scopes(token_response)

src/mcp/client/streamable_http.py

@@ -176,11 +176,7 @@ async def _handle_sse_event(
                 # Call resumption token callback if we have an ID. Only update
                 # the resumption token on notifications to avoid overwriting it
                 # with the token from the final response.
-                if (
-                    sse.id
-                    and resumption_callback
-                    and not isinstance(message.root, JSONRPCResponse | JSONRPCError)
-                ):
+                if sse.id and resumption_callback and not isinstance(message.root, JSONRPCResponse | JSONRPCError):
                     await resumption_callback(sse.id.strip())
 
                 # If this is a response or error return True indicating completion

src/mcp/server/auth/handlers/register.py

@@ -72,7 +72,7 @@ async def handle(self, request: Request) -> Response:
         valid_sets = [
             {"authorization_code", "refresh_token"},
             {"client_credentials"},
-            {"token-exchange"},
+            {"token_exchange"},
         ]
 
         if grant_types_set not in valid_sets:

src/mcp/server/auth/handlers/token.py

@@ -47,13 +47,11 @@ class ClientCredentialsRequest(BaseModel):
 class TokenExchangeRequest(BaseModel):
     """RFC 8693 token exchange request."""
 
-    grant_type: Literal["token-exchange"]
+    grant_type: Literal["token_exchange"]
     subject_token: str = Field(..., description="Token to exchange")
     subject_token_type: str = Field(..., description="Type of the subject token")
     actor_token: str | None = Field(None, description="Optional actor token")
-    actor_token_type: str | None = Field(
-        None, description="Type of the actor token if provided"
-    )
+    actor_token_type: str | None = Field(None, description="Type of the actor token if provided")
     resource: str | None = None
     audience: str | None = None
     scope: str | None = None
@@ -64,19 +62,13 @@ class TokenExchangeRequest(BaseModel):
 class TokenRequest(
     RootModel[
         Annotated[
-            AuthorizationCodeRequest
-            | RefreshTokenRequest
-            | ClientCredentialsRequest
-            | TokenExchangeRequest,
+            AuthorizationCodeRequest | RefreshTokenRequest | ClientCredentialsRequest | TokenExchangeRequest,
             Field(discriminator="grant_type"),
         ]
     ]
 ):
     root: Annotated[
-        AuthorizationCodeRequest
-        | RefreshTokenRequest
-        | ClientCredentialsRequest
-        | TokenExchangeRequest,
+        AuthorizationCodeRequest | RefreshTokenRequest | ClientCredentialsRequest | TokenExchangeRequest,
         Field(discriminator="grant_type"),
     ]
 
@@ -223,9 +215,7 @@ async def handle(self, request: Request):
                     else []
                 )
                 try:
-                    tokens = await self.provider.exchange_client_credentials(
-                        client_info, scopes
-                    )
+                    tokens = await self.provider.exchange_client_credentials(client_info, scopes)
                 except TokenError as e:
                     return self.response(
                         TokenErrorResponse(

src/mcp/server/auth/provider.py

@@ -239,9 +239,7 @@ async def exchange_refresh_token(
         """
         ...
 
-    async def exchange_client_credentials(
-        self, client: OAuthClientInformationFull, scopes: list[str]
-    ) -> OAuthToken:
+    async def exchange_client_credentials(self, client: OAuthClientInformationFull, scopes: list[str]) -> OAuthToken:
         """Exchange client credentials for an access token."""
         ...
 

src/mcp/server/auth/routes.py

@@ -163,7 +163,7 @@ def build_metadata(
             "authorization_code",
             "refresh_token",
             "client_credentials",
-            "token-exchange",
+            "token_exchange",
         ],
         token_endpoint_auth_methods_supported=["client_secret_post"],
         token_endpoint_auth_signing_alg_values_supported=None,

src/mcp/shared/auth.py

@@ -47,13 +47,13 @@ class OAuthClientMetadata(BaseModel):
     # client_secret_post;
     # ie: we do not support client_secret_basic
     token_endpoint_auth_method: Literal["none", "client_secret_post"] = "client_secret_post"
-    # grant_types: this implementation supports authorization_code, refresh_token, client_credentials, & token-exchange
+    # grant_types: this implementation supports authorization_code, refresh_token, client_credentials, & token_exchange
     grant_types: list[
         Literal[
             "authorization_code",
             "refresh_token",
             "client_credentials",
-            "token-exchange",
+            "token_exchange",
         ]
     ] = [
         "authorization_code",
@@ -129,14 +129,12 @@ class OAuthMetadata(BaseModel):
                 "authorization_code",
                 "refresh_token",
                 "client_credentials",
-                "token-exchange",
+                "token_exchange",
             ]
         ]
         | None
     ) = None
-    token_endpoint_auth_methods_supported: (
-        list[Literal["none", "client_secret_post"]] | None
-    ) = None
+    token_endpoint_auth_methods_supported: list[Literal["none", "client_secret_post"]] | None = None
     token_endpoint_auth_signing_alg_values_supported: None = None
     service_documentation: AnyHttpUrl | None = None
     ui_locales_supported: list[str] | None = None

src/mcp/shared/session.py

@@ -370,7 +370,7 @@ async def _receive_loop(self) -> None:
                         )
 
                         session_message = SessionMessage(message=JSONRPCMessage(error_response))
-  
+
                         await self._write_stream.send(session_message)
 
                 elif isinstance(message.message.root, JSONRPCNotification):

tests/client/test_auth.py

@@ -91,7 +91,7 @@ def oauth_metadata():
             "authorization_code",
             "refresh_token",
             "client_credentials",
-            "token-exchange",
+            "token_exchange",
         ],
         code_challenge_methods_supported=["S256"],
     )
@@ -205,13 +205,13 @@ async def test_generate_code_challenge(self, oauth_provider):
     async def test_get_authorization_base_url(self, oauth_provider):
         """Test authorization base URL extraction."""
         # Test with path
-        assert (_get_authorization_base_url("https://api.example.com/v1/mcp") == "https://api.example.com")
+        assert _get_authorization_base_url("https://api.example.com/v1/mcp") == "https://api.example.com"
 
         # Test with no path
-        assert (_get_authorization_base_url("https://api.example.com") == "https://api.example.com")
+        assert _get_authorization_base_url("https://api.example.com") == "https://api.example.com"
 
         # Test with port
-        assert (_get_authorization_base_url("https://api.example.com:8080/path/to/mcp") == "https://api.example.com:8080")
+        assert _get_authorization_base_url("https://api.example.com:8080/path/to/mcp") == "https://api.example.com:8080"
 
     @pytest.mark.anyio
     async def test_discover_oauth_metadata_success(self, oauth_provider, oauth_metadata):
@@ -930,7 +930,7 @@ def test_build_metadata(
             "authorization_code",
             "refresh_token",
             "client_credentials",
-            "token-exchange",
+            "token_exchange",
         ],
         token_endpoint_auth_methods_supported=["client_secret_post"],
         service_documentation=AnyHttpUrl(service_documentation_url),
@@ -969,10 +969,7 @@ async def test_request_token_success(
             await client_credentials_provider.ensure_token()
 
             mock_client.post.assert_called_once()
-            assert (
-                client_credentials_provider._current_tokens.access_token
-                == oauth_token.access_token
-            )
+            assert client_credentials_provider._current_tokens.access_token == oauth_token.access_token
 
     @pytest.mark.anyio
     async def test_async_auth_flow(self, client_credentials_provider, oauth_token):
@@ -985,10 +982,7 @@ async def test_async_auth_flow(self, client_credentials_provider, oauth_token):
 
         auth_flow = client_credentials_provider.async_auth_flow(request)
         updated_request = await auth_flow.__anext__()
-        assert (
-            updated_request.headers["Authorization"]
-            == f"Bearer {oauth_token.access_token}"
-        )
+        assert updated_request.headers["Authorization"] == f"Bearer {oauth_token.access_token}"
         try:
             await auth_flow.asend(mock_response)
         except StopAsyncIteration:
@@ -1022,7 +1016,4 @@ async def test_request_token_success(
             await token_exchange_provider.ensure_token()
 
             mock_client.post.assert_called_once()
-            assert (
-                token_exchange_provider._current_tokens.access_token
-                == oauth_token.access_token
-            )
+            assert token_exchange_provider._current_tokens.access_token == oauth_token.access_token