Skip to content

fix(oauth): do not treat empty secret as valid for public clients #443

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 22, 2025
Merged

fix(oauth): do not treat empty secret as valid for public clients #443

merged 1 commit into from
Sep 22, 2025

Conversation

@mathetake
Copy link
Contributor

@mathetake mathetake commented Sep 17, 2025
edited
Loading

This fixes the oauth's client registration portion where we should treat empty client secret as invalid. The rationale is pretty much written in the code comment.

Motivation and Context

This will expand the support for more auth servers.

How Has This Been Tested?

This makes Goose work with some public IdP providers such as https://app.descope.com

Breaking Changes

N/A

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

The following is the example client registration response to the request made by Goose where the client_secret field is present vs its value is empty string.

{
  "audienceWhitelist": [],
  "client_id": "aaaaaaaaaaaaaaaaaaaa=",
  "client_id_issued_at": 1758140791,
  "client_name": "MCP Client",
  "client_secret": "",
  "client_secret_expires_at": 0,
  "description": "",
  "grant_types": [
    "authorization_code",
    "refresh_token"
  ],
  "jwt_bearer_settings": null,
  "login_page_url": "https://api.descope.com/login/aaaaaaaaaaaaaaaaaaaa?flow=inbound-apps-user-consent",
  "redirect_uris": [
    "http://localhost:54641/oauth_callback"
  ],
  "response_types": [
    "code"
  ],
  "scope": "",
  "session_settings": null,
  "token_endpoint_auth_method": "none"
}

@github-actions github-actions bot added T-core Core library changes T-transport Transport layer changes labels Sep 17, 2025
@jokemanfire jokemanfire merged commit 4c8f5ba into modelcontextprotocol:main Sep 22, 2025
11 checks passed
@github-actions github-actions bot mentioned this pull request Sep 22, 2025
Closed
@mathetake mathetake deleted the clientregisteration branch September 22, 2025 04:17
@jamadeo jamadeo mentioned this pull request Sep 24, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jokemanfire jokemanfire jokemanfire approved these changes

Assignees

No one assigned

Labels

T-core Core library changes T-transport Transport layer changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mathetake @jokemanfire