3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-02 00:10:45 +02:00
Code Issues Projects Releases Packages Wiki Activity

mcp: client registration/token fixes (#5649)

Browse source 
## Summary

Fixes to MCP code registration and token requests. 

1. ease some requirements on fields that are RECOMMENDED 
2. fill in defaults
3. store both request and response in the client registration
4. check client secret in the /token request

## Related issues

- Fixes
https://linear.app/pomerium/issue/ENG-2462/mcp-ignore-unknown-grant-types-in-the-client-registration
- Fixes
https://linear.app/pomerium/issue/ENG-2461/mcp-support-client-secret-in-dynamic-client-registration
 
## User Explanation

<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->

## Checklist

- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [ ] ready for review
This commit is contained in:
Denis Mishin 2025-06-11 08:28:24 -07:00 committed by GitHub
parent 200f2e8164
commit 777b3b12d2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
20 changed files with 1440 additions and 461 deletions
Download patch file Download diff file Expand all files Collapse all files

48
internal/oauth21/token_test.go Normal file
View file

@ -0,0 +1,48 @@
package oauth21_test
import (
"net/http"
"net/url"
"strings"
"testing"
"github.com/stretchr/testify/require"
"github.com/pomerium/pomerium/internal/oauth21"
)
func TestParseTokenRequest_BasicAuth(t *testing.T) {
form := url.Values{}
form.Set("grant_type", "authorization_code")
form.Set("code", "abc")
req, err := http.NewRequest(http.MethodPost, "/token", strings.NewReader(form.Encode()))
require.NoError(t, err)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.SetBasicAuth("myclient", "secret")
tr, err := oauth21.ParseTokenRequest(req)
require.NoError(t, err)
require.NotNil(t, tr.ClientId)
require.Equal(t, "myclient", *tr.ClientId)
require.NotNil(t, tr.ClientSecret)
require.Equal(t, "secret", *tr.ClientSecret)
}
func TestParseTokenRequest_BasicAuthWithBodyOverride(t *testing.T) {
form := url.Values{}
form.Set("grant_type", "authorization_code")
form.Set("code", "abc")
form.Set("client_id", "bodyid")
form.Set("client_secret", "bodysecret")
req, err := http.NewRequest(http.MethodPost, "/token", strings.NewReader(form.Encode()))
require.NoError(t, err)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.SetBasicAuth("basicid", "basicsecret")
tr, err := oauth21.ParseTokenRequest(req)
require.NoError(t, err)
require.NotNil(t, tr.ClientId)
require.Equal(t, "bodyid", *tr.ClientId) // body should win
require.NotNil(t, tr.ClientSecret)
require.Equal(t, "bodysecret", *tr.ClientSecret)
}