Skip to content

feat (auth): add sep-2207 client checks#166

Draft
wdawson wants to merge 1 commit intomodelcontextprotocol:mainfrom
ArcadeAI:feat/sep-2207
Draft

feat (auth): add sep-2207 client checks#166
wdawson wants to merge 1 commit intomodelcontextprotocol:mainfrom
ArcadeAI:feat/sep-2207

Conversation

@wdawson
Copy link

@wdawson wdawson commented Feb 24, 2026

Add SEP-2207 (OIDC Refresh Token Guidance) conformance tests as a draft suite

Motivation and Context

SEP-2207 adds normative guidance for MCP clients around offline_access scope and refresh_token grant type handling when interacting with OIDC authorization servers. This PR adds conformance tests for the client-side requirements, so SDK authors can validate their implementations against the draft spec.

Server-side guidance (SHOULD NOT include offline_access in PRM/WWW-Authenticate) depends on #105 and #155

How Has This Been Tested?

  • All tests pass locally
  • Draft scenarios tested against the TypeScript everything-client (3 scenarios, 32 checks, 0 failures)
  • Draft scenarios tested against the Python SDK conformance client (modelcontextprotocol/python-sdk)
  • Verified draft scenarios are excluded from tier scoring via the existing isTierScoring() filtering
  • Verified spec-version isolation: draft scenarios only appear under specVersions: ['draft']
  • Negative path: confirmed clients that don't implement SEP-2207 get INFO/WARNING (not FAILURE) for MAY/SHOULD checks, and FAILURE for MUST NOT violations

Breaking Changes

None. Draft scenarios are non-scoring and only run when explicitly requested via --suite draft or --spec-version draft.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

New scenarios:

Scenario Checks Description
auth/offline-access-scope sep-2207-client-metadata-grant-types, sep-2207-offline-access-requested AS advertises offline_access in scopes_supported. Verifies client includes refresh_token in grant_types (SHOULD, via DCR or CIMD) and requests offline_access scope (MAY).
auth/offline-access-not-supported sep-2207-offline-access-not-requested AS does not advertise offline_access. Verifies client does not request it (MUST NOT).

Also moved auth/resource-mismatch from authScenariosList to draftScenariosList — it already had specVersions: ['draft'] but was incorrectly in the tier-required list.

Design decisions:

  • CIMD grant_types check is attempted in stop() (async) by fetching the client_id URL. Falls back to INFO if URL is unreachable (e.g., fake CIMD URLs in test environments).
  • Handles DCR, CIMD, and pre-registered client paths gracefully — checks what it can, emits INFO for what it can't verify.
  • Requesting offline_access when AS doesn't support it is FAILURE (unsupported scope), not WARNING.

AI Disclosure: AI assisted with implementation and test authoring. All changes were reviewed and guided by hand.

@wdawson wdawson mentioned this pull request Feb 24, 2026
Open
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wdawson