Skip to content

feat: reject auth servers lacking S256 PKCE support#955

Open
DaleSeo wants to merge 1 commit into
mainfrom
fix/oauth-pkce-enforcement
Open

feat: reject auth servers lacking S256 PKCE support#955
DaleSeo wants to merge 1 commit into
mainfrom
fix/oauth-pkce-enforcement

Conversation

@DaleSeo

@DaleSeo DaleSeo commented Jul 4, 2026

Copy link
Copy Markdown
Member

Motivation and Context

The client always sends an S256 PKCE challenge, but when the server's metadata advertised code_challenge_methods_supported without S256, validate_server_metadata only warned and continued. So rmcp would start a flow the server can't complete and fail confusingly mid-exchange. It now returns AuthError::PkceUnsupported up front for that case, matching the TypeScript SDK. A server that omits the field entirely is still allowed by default, and callers wanting the stricter spec behavior can opt in with set_require_pkce_support(true).

How Has This Been Tested?

New unit tests cover the matrix.

Breaking Changes

None. Only behavioral change.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

@github-actions github-actions Bot added T-core Core library changes T-transport Transport layer changes labels Jul 4, 2026
@DaleSeo DaleSeo force-pushed the fix/oauth-pkce-enforcement branch from 9029a36 to d46e287 Compare July 4, 2026 00:28
@DaleSeo DaleSeo self-assigned this Jul 4, 2026
@DaleSeo DaleSeo marked this pull request as ready for review July 4, 2026 00:40
@DaleSeo DaleSeo requested a review from a team as a code owner July 4, 2026 00:40
@DaleSeo DaleSeo force-pushed the fix/oauth-pkce-enforcement branch from d46e287 to f59dd43 Compare July 4, 2026 00:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

T-core Core library changes T-transport Transport layer changes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant