Skip to content

fix: pass conformance auth scenarios, add RFC 8707 resource validation #2010

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
felixweinberger merged 5 commits into from
Feb 9, 2026
Merged

fix: pass conformance auth scenarios, add RFC 8707 resource validation #2010

felixweinberger merged 5 commits into from
Feb 9, 2026
+187 −8

Conversation

@felixweinberger
Copy link
Contributor

@felixweinberger felixweinberger commented Feb 7, 2026

Summary

Fixes the broken conformance CI that is blocking all PRs with client-conformance failures.

Motivation and Context

The conformance test suite was broken after @modelcontextprotocol/conformance@0.1.13 introduced new auth scenarios requiring:

  1. Pre-registered client credentials from MCP_CONFORMANCE_CONTEXT
  2. RFC 8707 resource validation (PRM resource must match server URL)

This was causing the client-conformance check to fail on nearly all open PRs (the tools_call scenario returns 403 Forbidden). Builds on the work from #1999.

How Has This Been Tested?

  • All 1135 tests pass locally
  • Full code coverage at 100% (0 branch partials)
  • Pyright type checking passes with 0 errors
  • Ruff formatting and linting pass

Breaking Changes

No breaking changes. The new validate_resource_url parameter on OAuthClientProvider is optional.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

Changes across 4 files:

src/mcp/client/auth/oauth2.py: Adds _validate_resource_match() method that validates PRM resource matches the server URL per RFC 8707 before proceeding with the OAuth flow. Adds optional validate_resource_url callback parameter for custom validation logic.

.github/actions/conformance/client.py: Pre-loads client credentials from MCP_CONFORMANCE_CONTEXT into token storage when available, allowing the existing auth flow to skip DCR when pre-registered credentials are present.

.github/workflows/conformance.yml: Bumps conformance package from 0.1.10 to 0.1.13.

tests/client/test_auth.py: Adds TestResourceValidation test class with 6 tests covering resource validation (mismatched resources, matching resources, custom callbacks, trailing slash normalization, fallback behavior). Updates existing test resource URLs to match server URLs.

@felixweinberger felixweinberger marked this pull request as ready for review February 7, 2026 14:29
Kludex
Kludex reviewed Feb 7, 2026
View reviewed changes
Kludex
Kludex reviewed Feb 7, 2026
View reviewed changes
Kludex
Kludex previously approved these changes Feb 7, 2026
View reviewed changes
@claude
Copy link

claude bot commented Feb 7, 2026

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

@felixweinberger
Copy link
Contributor Author

felixweinberger commented Feb 7, 2026

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

You're wrong @claude - the CLAUDE.md literally says not to use Test Classes but this PR has them.

@claude
Copy link

claude bot commented Feb 7, 2026
edited
Loading

Claude finished @felixweinberger's task in 46s —— View job

Code Review - CLAUDE.md Violations Found

You're absolutely right - I apologize for the incorrect review. This PR does violate CLAUDE.md guidelines.

Issues Found

tests/client/test_auth.py:822-951 - Uses Test classes which violates CLAUDE.md:

  • TestResourceValidation class (lines 822-951)
  • TestRegistrationResponse class (line 953+)

The CLAUDE.md explicitly states:

"Do not use Test prefixed classes, use functions"

And:

"The tests/client/test_client.py is the most well designed test file. Follow its patterns."

Looking at test_client.py, all tests are written as standalone functions like async def test_client_is_initialized(), not as methods inside Test classes.

Additional Issue

tests/client/test_auth.py:890 - The review comment from @Kludex suggests using snapshots instead of manual assertions, which would align better with the patterns in test_client.py (which uses inline_snapshot).

Recommendation

The tests need to be refactored:

  1. Convert TestResourceValidation methods to standalone test functions
  2. Convert TestRegistrationResponse methods to standalone test functions
  3. Consider using inline_snapshot for assertions where appropriate

Would you like me to refactor these test classes into functions following the test_client.py patterns? Fix this →

|

@felixweinberger felixweinberger mentioned this pull request Feb 7, 2026
Draft
@felixweinberger felixweinberger enabled auto-merge (squash) February 7, 2026 14:42
Kludex
Kludex reviewed Feb 7, 2026
View reviewed changes
@felixweinberger
fix: pass conformance auth scenarios, add RFC 8707 resource validation
49865e9 
The conformance test suite was broken by @modelcontextprotocol/conformance@0.1.13
introducing new auth scenarios that require:

1. Pre-registered client credentials from MCP_CONFORMANCE_CONTEXT
2. RFC 8707 resource validation (PRM resource must match server URL)

SDK changes:
- Add _validate_resource_match() to OAuthClientProvider that validates
  the Protected Resource Metadata resource field matches the server URL
  before proceeding with the auth flow
- Add validate_resource_url callback parameter for custom validation

Conformance client changes:
- Pre-load client credentials from MCP_CONFORMANCE_CONTEXT into token
  storage when available, allowing the existing flow to skip DCR when
  pre-registered credentials are present

CI: bump conformance package from 0.1.10 to 0.1.13
@felixweinberger
refactor: convert test class to functions, use snapshots
f711eae 
Address review feedback:
- Convert TestResourceValidation class to standalone test functions
- Use inline_snapshot for assertion values
@felixweinberger
ci: re-enable conformance tests
d56bdbc 
Reverts the disable from #2007 now that the conformance client
supports the new auth scenarios.
@felixweinberger felixweinberger force-pushed the fweinberger/fix-conformance-ci branch from cca61b9 to d56bdbc Compare February 7, 2026 15:12
@felixweinberger felixweinberger merged commit 239d682 into main Feb 9, 2026
29 checks passed
@felixweinberger felixweinberger deleted the fweinberger/fix-conformance-ci branch February 9, 2026 11:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kludex Kludex Kludex left review comments

@pcarleton pcarleton pcarleton approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@felixweinberger @pcarleton @Kludex