Skip to content

feat: add multi-level initial access token support for OAuth 2.0 Dynamic Client Registration (RFC 7591) #1154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: add multi-level initial access token support for OAuth 2.0 Dynamic Client Registration (RFC 7591) #1154

wants to merge 3 commits into from
+201 −5

Conversation

andormarkus
Copy link

Add Initial Access Token Support for OAuth 2.0 Dynamic Client Registration (RFC 7591)

Summary

Implements initial access token support for OAuth 2.0 Dynamic Client Registration as specified in RFC 7591. This enables clients to register with protected OAuth endpoints that require initial access tokens.

Changes

Core Implementation

  • Add initial_access_token parameter to OAuthClientProvider constructor
  • Add initial_access_token() method for custom token retrieval logic
  • Implement multi-level fallback system for token resolution
  • Add Authorization Bearer header to registration requests when token available
  • Add OAUTH_INITIAL_ACCESS_TOKEN environment variable support

Fallback Priority Order

  1. Explicit initial_access_token parameter (highest priority)
  2. Provider's initial_access_token() method
  3. OAUTH_INITIAL_ACCESS_TOKEN environment variable
  4. No token (existing behavior)

Testing & Documentation

  • Comprehensive test coverage for all fallback scenarios
  • Updated README.md with usage examples and Initial Access Tokens section
  • Updated simple-auth-client example documentation
  • Full backward compatibility maintained

Usage

# Explicit token
oauth_auth = OAuthClientProvider(
    server_url="https://api.example.com",
    client_metadata=client_metadata,
    storage=storage,
    redirect_handler=redirect_handler,
    callback_handler=callback_handler,
    initial_access_token="your-token"
)

# Environment variable
# Set OAUTH_INITIAL_ACCESS_TOKEN=your-token

# Custom provider method
class CustomOAuthProvider(OAuthClientProvider):
    async def initial_access_token(self) -> str | None:
        return await get_token_from_secure_store()

Testing

  • ✅ All existing tests pass
  • ✅ New initial access token tests: 6/6 passing
  • ✅ Auth module tests: 44 passed, 1 xfailed
  • ✅ No regressions

Breaking Changes

None. Fully backward compatible.

Other

MCP TypeScript SDK PR - modelcontextprotocol/typescript-sdk#773

@andormarkus-alcd
feat: add initial access token support for OAuth 2.0 Dynamic Client R…
b609fc5 
…egistration (RFC 7591)

- Add initial_access_token parameter to OAuthClientProvider constructor
- Implement multi-level fallback for token resolution:
  1. Explicit parameter (highest priority)
  2. Provider method (initial_access_token())
  3. Environment variable (OAUTH_INITIAL_ACCESS_TOKEN)
  4. No token (existing behavior)
- Add Authorization Bearer header to registration requests when token available
- Add comprehensive test coverage for all fallback scenarios
- Update documentation with usage examples and configuration details
- Maintain full backward compatibility with existing OAuth flows

This enables clients to register with protected OAuth endpoints that require
initial access tokens per RFC 7591 Dynamic Client Registration specification.
@andormarkus andormarkus changed the title Add Initial Access Token Support for OAuth 2.0 Dynamic Client Registration (RFC 7591) feat: add multi-level initial access token support for OAuth 2.0 Dynamic Client Registration (RFC 7591) Jul 16, 2025
@andormarkus andormarkus mentioned this pull request Jul 16, 2025
Open
@andormarkus-alcd
feat: add initial access token support for OAuth 2.0 Dynamic Client R…
100590c 
…egistration (RFC 7591)

- Add initial_access_token parameter to OAuthClientProvider constructor
- Implement multi-level fallback for token resolution:
  1. Explicit parameter (highest priority)
  2. Provider method (initial_access_token())
  3. Environment variable (OAUTH_INITIAL_ACCESS_TOKEN)
  4. No token (existing behavior)
- Add Authorization Bearer header to registration requests when token available
- Add comprehensive test coverage for all fallback scenarios
- Update documentation with usage examples and configuration details
- Maintain full backward compatibility with existing OAuth flows

This enables clients to register with protected OAuth endpoints that require
initial access tokens per RFC 7591 Dynamic Client Registration specification.
@andormarkus-alcd
feat: add initial access token support for OAuth 2.0 Dynamic Client R…
0d191a2 
…egistration (RFC 7591)

- Add initial_access_token parameter to OAuthClientProvider constructor
- Implement multi-level fallback for token resolution:
  1. Explicit parameter (highest priority)
  2. Provider method (initial_access_token())
  3. Environment variable (OAUTH_INITIAL_ACCESS_TOKEN)
  4. No token (existing behavior)
- Add Authorization Bearer header to registration requests when token available
- Add comprehensive test coverage for all fallback scenarios
- Update documentation with usage examples and configuration details
- Maintain full backward compatibility with existing OAuth flows

This enables clients to register with protected OAuth endpoints that require
initial access tokens per RFC 7591 Dynamic Client Registration specification.
@andormarkus andormarkus mentioned this pull request Jul 16, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@andormarkus @andormarkus-alcd