python-sdk icon indicating copy to clipboard operation
python-sdk copied to clipboard
verified publisher icon modelcontextprotocol

DCR Handler Requires Both authorization_code and refresh_token Grant Types (RFC 7591 Non-Compliant)

Open gazzadownunder opened this issue 2 months ago • 0 comments

Initial Checks

  • [x] I confirm that I'm using the latest version of MCP Python SDK
  • [x] I confirm that I searched for my issue in https://github.com/modelcontextprotocol/python-sdk/issues before opening this issue

Description

Description

The Dynamic Client Registration (DCR) handler in the MCP Python SDK incorrectly requires both authorization_code and refresh_token grant types during client registration. This contradicts RFC 7591 which states that refresh tokens should be optional.

Current Behavior

The validation in mcp/server/auth/handlers/register.py (lines 71-78) rejects client registrations that don't include both grant types:

if not {"authorization_code", "refresh_token"}.issubset(set(client_metadata.grant_types)):
    return PydanticJSONResponse(
        content=RegistrationErrorResponse(
            error="invalid_client_metadata",
            error_description="grant_types must be authorization_code and refresh_token",
        ),
        status_code=400,
    )

This means clients cannot register with only authorization_code as a grant type, even though this should be valid per the OAuth 2.0/2.1 specifications.

Expected Behavior

Per RFC 7591, refresh tokens are optional. The validation should only require authorization_code to be present:

if "authorization_code" not in client_metadata.grant_types:
    return PydanticJSONResponse(
        content=RegistrationErrorResponse(
            error="invalid_client_metadata",
            error_description="grant_types must include 'authorization_code'",
        ),
        status_code=400,
    )

Why This Matters

  1. RFC Compliance: RFC 7591 explicitly states that refresh tokens are optional in OAuth flows
  2. Client Flexibility: Some clients may not need or want refresh token capabilities
  3. Security: Principle of least privilege - clients should only request the grant types they actually need
  4. Interoperability: This restriction may prevent valid OAuth clients from using MCP servers

Proposed Solution

Modify the validation in mcp/server/auth/handlers/register.py to:

  • Only require authorization_code in the grant_types list
  • Allow refresh_token to be optional
  • Update the error message to reflect the correct requirement

Impact

This change would:

  • ✅ Make the MCP SDK compliant with RFC 7591
  • ✅ Allow clients to register with only authorization_code if they don't need refresh tokens
  • ✅ Not break existing clients that register with both grant types
  • ✅ Improve security by allowing clients to request minimal permissions

Additional Context

This issue was originally reported against the fastmcp project: https://github.com/jlowin/fastmcp/issues/2460

The fastmcp project depends on the MCP Python SDK and will need to update its test suite once this fix is implemented.

Affected Files

  • mcp/server/auth/handlers/register.py (lines 71-78)

References

Example Code

Python & MCP Python SDK

Python Version: 3.13.1
MCP Python SDK Version: 1.6.0

gazzadownunder avatar Nov 21 '25 23:11 gazzadownunder