Implement SEP-990 Enterprise Managed OAuth #1721
Open
+1,681
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…naged Auth support. - Written unit test cases for client and server implementation of the enterprise managed auth code.
…/extensions/enterprise_managed_auth.py 232->235, 304->307. - Resolved pre-commit errors.
felixweinberger
added
auth
maxisbey
requested changes
Dec 9, 2025
Contributor
maxisbey
left a comment
maxisbey
left a comment
There was a problem hiding this comment.
Unless I was missing something,
Comment on lines
+20
to
+22
| # ============================================================================ | ||
| # Data Models | ||
| # ============================================================================ |
Comment on lines
+169
to
+170
| redirect_handler: Any = None, | ||
| callback_handler: Any = None, |
Contributor
There was a problem hiding this comment.
Can these please be correctly typed
Comment on lines
+217
to
+224
| token_data = { | ||
| "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", | ||
| "requested_token_type": self.token_exchange_params.requested_token_type, | ||
| "audience": self.token_exchange_params.audience, | ||
| "resource": self.token_exchange_params.resource, | ||
| "subject_token": self.token_exchange_params.subject_token, | ||
| "subject_token_type": self.token_exchange_params.subject_token_type, | ||
| } |
Contributor
There was a problem hiding this comment.
could this be typed, either a BaseModel or a TypedDict. (@Kludex would you have a preference here?)
Comment on lines
+356
to
+358
| # ============================================================================ | ||
| # Helper Functions | ||
| # ============================================================================ |
| Note: | ||
| For verification, use server-side validation instead. | ||
| """ | ||
| import jwt |
Comment on lines
+152
to
+154
| # ============================================================================ | ||
| # Tests for TokenExchangeResponse | ||
| # ============================================================================ |
Comment on lines
+188
to
+190
| # ============================================================================ | ||
| # Tests for IDJAGClaims | ||
| # ============================================================================ |
| # ============================================================================ | ||
|
|
||
|
|
||
| def decode_id_jag(id_jag: str, verify: bool = False) -> IDJAGClaims: |
|
|
||
| **Example Usage:** | ||
|
|
||
| ```python |
Contributor
There was a problem hiding this comment.
Can this instead be put in the snippets folder and then use the scripts/update_readme_snippets.py script to update the README accordingly.
Contributor
There was a problem hiding this comment.
- Need to explain how to use the access token once you get it.
- How does this work when the client ID is expired?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements the client-side components of SEP-990: Enterprise Managed Authorization. It introduces the
EnterpriseAuthOAuthClientProviderto handle the full token exchange flow required for Enterprise SSO, including RFC 8693 (Token Exchange) and RFC 7523 (JWT Bearer Grant).Motivation and Context
Implements: SEP-990
To support enterprise environments where direct API keys are not compliant, the Python SDK needs to support "Managed Authorization." This implementation allows the SDK to:
This aligns the Python SDK with the architecture defined in the SEP-990 implementation guide.
Implementation Details
The following components have been added to
src/mcp/client/auth/extensions/enterprise_managed_auth.py:TokenExchangeParametersandTokenExchangeResponseusing Pydantic to strictly type the exchange payloads.EnterpriseAuthOAuthClientProvider, which extends the baseOAuthClientProviderto orchestrate the exchange logic.urn:ietf:params:oauth:token-type:id-jagtoken types.How Has This Been Tested?
I have implemented comprehensive unit tests in
tests/client/auth/test_enterprise_managed_auth_client.pyusingpytestandunittest.mock.The testing suite covers the following scenarios:
Data Model Validation:
TokenExchangeParameterscorrectly generates requests for both OIDC ID Tokens (test_token_exchange_params_from_id_token) and SAML Assertions (test_token_exchange_params_from_saml_assertion).RFC 8693 Token Exchange Logic:
httpxto verify the correct payload structure (grant types, token types) is sent to the IdP.client_idandclient_secretare correctly injected into the request body when configured (test_exchange_token_with_client_authentication).RFC 7523 JWT Bearer Grant Logic:
Network Edge Cases:
httpx.ConnectError,httpx.ReadTimeout) to ensureOAuthTokenErroris raised with descriptive messages.Breaking Changes
No.
This is an additive extension. The core
OAuthClientProviderremains backward compatible. Only users specifically importing and usingEnterpriseAuthOAuthClientProviderwill be affected.Types of changes
Checklist
Additional context
pydanticfor model validation andhttpxfor async requests.src/mcp/client/auth/extensions/).