Merge branch 'main' into feat/tasks

Author: LucaButBoring

src/mcp/client/auth/oauth2.py

@@ -506,7 +506,7 @@ async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.
 
                     # Step 3: Apply scope selection strategy
                     self.context.client_metadata.scope = get_client_metadata_scopes(
-                        www_auth_resource_metadata_url,
+                        extract_scope_from_www_auth(response),
                         self.context.protected_resource_metadata,
                         self.context.oauth_metadata,
                     )

src/mcp/client/session_group.py

@@ -11,20 +11,23 @@
 import contextlib
 import logging
 from collections.abc import Callable
+from dataclasses import dataclass
 from datetime import timedelta
 from types import TracebackType
-from typing import Any, TypeAlias
+from typing import Any, TypeAlias, overload
 
 import anyio
 from pydantic import BaseModel
-from typing_extensions import Self
+from typing_extensions import Self, deprecated
 
 import mcp
 from mcp import types
+from mcp.client.session import ElicitationFnT, ListRootsFnT, LoggingFnT, MessageHandlerFnT, SamplingFnT
 from mcp.client.sse import sse_client
 from mcp.client.stdio import StdioServerParameters
 from mcp.client.streamable_http import streamablehttp_client
 from mcp.shared.exceptions import McpError
+from mcp.shared.session import ProgressFnT
 
 
 class SseServerParameters(BaseModel):
@@ -65,6 +68,21 @@ class StreamableHttpParameters(BaseModel):
 ServerParameters: TypeAlias = StdioServerParameters | SseServerParameters | StreamableHttpParameters
 
 
+# Use dataclass instead of pydantic BaseModel
+# because pydantic BaseModel cannot handle Protocol fields.
+@dataclass
+class ClientSessionParameters:
+    """Parameters for establishing a client session to an MCP server."""
+
+    read_timeout_seconds: timedelta | None = None
+    sampling_callback: SamplingFnT | None = None
+    elicitation_callback: ElicitationFnT | None = None
+    list_roots_callback: ListRootsFnT | None = None
+    logging_callback: LoggingFnT | None = None
+    message_handler: MessageHandlerFnT | None = None
+    client_info: types.Implementation | None = None
+
+
 class ClientSessionGroup:
     """Client for managing connections to multiple MCP servers.
 
@@ -172,11 +190,49 @@ def tools(self) -> dict[str, types.Tool]:
         """Returns the tools as a dictionary of names to tools."""
         return self._tools
 
-    async def call_tool(self, name: str, args: dict[str, Any]) -> types.CallToolResult:
+    @overload
+    async def call_tool(
+        self,
+        name: str,
+        arguments: dict[str, Any],
+        read_timeout_seconds: timedelta | None = None,
+        progress_callback: ProgressFnT | None = None,
+        *,
+        meta: dict[str, Any] | None = None,
+    ) -> types.CallToolResult: ...
+
+    @overload
+    @deprecated("The 'args' parameter is deprecated. Use 'arguments' instead.")
+    async def call_tool(
+        self,
+        name: str,
+        *,
+        args: dict[str, Any],
+        read_timeout_seconds: timedelta | None = None,
+        progress_callback: ProgressFnT | None = None,
+        meta: dict[str, Any] | None = None,
+    ) -> types.CallToolResult: ...
+
+    async def call_tool(
+        self,
+        name: str,
+        arguments: dict[str, Any] | None = None,
+        read_timeout_seconds: timedelta | None = None,
+        progress_callback: ProgressFnT | None = None,
+        *,
+        meta: dict[str, Any] | None = None,
+        args: dict[str, Any] | None = None,
+    ) -> types.CallToolResult:
         """Executes a tool given its name and arguments."""
         session = self._tool_to_session[name]
         session_tool_name = self.tools[name].name
-        return await session.call_tool(session_tool_name, args)
+        return await session.call_tool(
+            session_tool_name,
+            arguments if args is None else args,
+            read_timeout_seconds=read_timeout_seconds,
+            progress_callback=progress_callback,
+            meta=meta,
+        )
 
     async def disconnect_from_server(self, session: mcp.ClientSession) -> None:
         """Disconnects from a single MCP server."""
@@ -225,13 +281,16 @@ async def connect_with_session(
     async def connect_to_server(
         self,
         server_params: ServerParameters,
+        session_params: ClientSessionParameters | None = None,
     ) -> mcp.ClientSession:
         """Connects to a single MCP server."""
-        server_info, session = await self._establish_session(server_params)
+        server_info, session = await self._establish_session(server_params, session_params or ClientSessionParameters())
         return await self.connect_with_session(server_info, session)
 
     async def _establish_session(
-        self, server_params: ServerParameters
+        self,
+        server_params: ServerParameters,
+        session_params: ClientSessionParameters,
     ) -> tuple[types.Implementation, mcp.ClientSession]:
         """Establish a client session to an MCP server."""
 
@@ -259,7 +318,20 @@ async def _establish_session(
                 )
                 read, write, _ = await session_stack.enter_async_context(client)
 
-            session = await session_stack.enter_async_context(mcp.ClientSession(read, write))
+            session = await session_stack.enter_async_context(
+                mcp.ClientSession(
+                    read,
+                    write,
+                    read_timeout_seconds=session_params.read_timeout_seconds,
+                    sampling_callback=session_params.sampling_callback,
+                    elicitation_callback=session_params.elicitation_callback,
+                    list_roots_callback=session_params.list_roots_callback,
+                    logging_callback=session_params.logging_callback,
+                    message_handler=session_params.message_handler,
+                    client_info=session_params.client_info,
+                )
+            )
+
             result = await session.initialize()
 
             # Session successfully initialized.

tests/client/test_scope_bug_1630.py

@@ -0,0 +1,166 @@
+"""
+Regression test for issue #1630: OAuth2 scope incorrectly set to resource_metadata URL.
+
+This test verifies that when a 401 response contains both resource_metadata and scope
+in the WWW-Authenticate header, the actual scope is used (not the resource_metadata URL).
+"""
+
+from unittest import mock
+
+import httpx
+import pytest
+from pydantic import AnyUrl
+
+from mcp.client.auth import OAuthClientProvider
+from mcp.shared.auth import OAuthClientInformationFull, OAuthClientMetadata, OAuthToken
+
+
+class MockTokenStorage:
+    """Mock token storage for testing."""
+
+    def __init__(self) -> None:
+        self._tokens: OAuthToken | None = None
+        self._client_info: OAuthClientInformationFull | None = None
+
+    async def get_tokens(self) -> OAuthToken | None:
+        return self._tokens  # pragma: no cover
+
+    async def set_tokens(self, tokens: OAuthToken) -> None:
+        self._tokens = tokens
+
+    async def get_client_info(self) -> OAuthClientInformationFull | None:
+        return self._client_info  # pragma: no cover
+
+    async def set_client_info(self, client_info: OAuthClientInformationFull) -> None:
+        self._client_info = client_info  # pragma: no cover
+
+
+@pytest.mark.anyio
+async def test_401_uses_www_auth_scope_not_resource_metadata_url():
+    """
+    Regression test for #1630: Ensure scope is extracted from WWW-Authenticate header,
+    not the resource_metadata URL.
+
+    When a 401 response contains:
+        WWW-Authenticate: Bearer resource_metadata="https://...", scope="read write"
+
+    The client should use "read write" as the scope, NOT the resource_metadata URL.
+    """
+
+    async def redirect_handler(url: str) -> None:
+        pass  # pragma: no cover
+
+    async def callback_handler() -> tuple[str, str | None]:
+        return "test_auth_code", "test_state"  # pragma: no cover
+
+    client_metadata = OAuthClientMetadata(
+        redirect_uris=[AnyUrl("http://localhost:3030/callback")],
+        client_name="Test Client",
+    )
+
+    provider = OAuthClientProvider(
+        server_url="https://api.example.com/mcp",
+        client_metadata=client_metadata,
+        storage=MockTokenStorage(),
+        redirect_handler=redirect_handler,
+        callback_handler=callback_handler,
+    )
+
+    provider.context.current_tokens = None
+    provider.context.token_expiry_time = None
+    provider._initialized = True
+
+    # Pre-set client info to skip DCR
+    provider.context.client_info = OAuthClientInformationFull(
+        client_id="test_client",
+        redirect_uris=[AnyUrl("http://localhost:3030/callback")],
+    )
+
+    test_request = httpx.Request("GET", "https://api.example.com/mcp")
+    auth_flow = provider.async_auth_flow(test_request)
+
+    # First request (no auth header yet)
+    await auth_flow.__anext__()
+
+    # 401 response with BOTH resource_metadata URL and scope in WWW-Authenticate
+    # This is the key: the bug would use the URL as scope instead of "read write"
+    resource_metadata_url = "https://api.example.com/.well-known/oauth-protected-resource"
+    expected_scope = "read write"
+
+    response_401 = httpx.Response(
+        401,
+        headers={"WWW-Authenticate": (f'Bearer resource_metadata="{resource_metadata_url}", scope="{expected_scope}"')},
+        request=test_request,
+    )
+
+    # Send 401, expect PRM discovery request
+    prm_request = await auth_flow.asend(response_401)
+    assert ".well-known/oauth-protected-resource" in str(prm_request.url)
+
+    # PRM response with scopes_supported (these should be overridden by WWW-Auth scope)
+    prm_response = httpx.Response(
+        200,
+        content=(
+            b'{"resource": "https://api.example.com/mcp", '
+            b'"authorization_servers": ["https://auth.example.com"], '
+            b'"scopes_supported": ["fallback:scope1", "fallback:scope2"]}'
+        ),
+        request=prm_request,
+    )
+
+    # Send PRM response, expect OAuth metadata discovery
+    oauth_metadata_request = await auth_flow.asend(prm_response)
+    assert ".well-known/oauth-authorization-server" in str(oauth_metadata_request.url)
+
+    # OAuth metadata response
+    oauth_metadata_response = httpx.Response(
+        200,
+        content=(
+            b'{"issuer": "https://auth.example.com", '
+            b'"authorization_endpoint": "https://auth.example.com/authorize", '
+            b'"token_endpoint": "https://auth.example.com/token"}'
+        ),
+        request=oauth_metadata_request,
+    )
+
+    # Mock authorization to skip interactive flow
+    provider._perform_authorization_code_grant = mock.AsyncMock(return_value=("test_auth_code", "test_code_verifier"))
+
+    # Send OAuth metadata response, expect token request
+    token_request = await auth_flow.asend(oauth_metadata_response)
+    assert "token" in str(token_request.url)
+
+    # NOW CHECK: The scope should be the WWW-Authenticate scope, NOT the URL
+    # This is where the bug manifested - scope was set to resource_metadata_url
+    actual_scope = provider.context.client_metadata.scope
+
+    # This assertion would FAIL on main (scope would be the URL)
+    # but PASS on the fix branch (scope is "read write")
+    assert actual_scope == expected_scope, (
+        f"Expected scope to be '{expected_scope}' from WWW-Authenticate header, "
+        f"but got '{actual_scope}'. "
+        f"If scope is '{resource_metadata_url}', the bug from #1630 is present."
+    )
+
+    # Verify it's definitely not the URL (explicit check for the bug)
+    assert actual_scope != resource_metadata_url, (
+        f"BUG #1630: Scope was incorrectly set to resource_metadata URL '{resource_metadata_url}' "
+        f"instead of the actual scope '{expected_scope}'"
+    )
+
+    # Complete the flow to properly release the lock
+    token_response = httpx.Response(
+        200,
+        content=b'{"access_token": "test_token", "token_type": "Bearer", "expires_in": 3600}',
+        request=token_request,
+    )
+
+    final_request = await auth_flow.asend(token_response)
+    assert final_request.headers["Authorization"] == "Bearer test_token"
+
+    # Finish the flow
+    final_response = httpx.Response(200, request=final_request)
+    try:
+        await auth_flow.asend(final_response)
+    except StopAsyncIteration:
+        pass

tests/client/test_session_group.py

@@ -5,7 +5,12 @@
 
 import mcp
 from mcp import types
-from mcp.client.session_group import ClientSessionGroup, SseServerParameters, StreamableHttpParameters
+from mcp.client.session_group import (
+    ClientSessionGroup,
+    ClientSessionParameters,
+    SseServerParameters,
+    StreamableHttpParameters,
+)
 from mcp.client.stdio import StdioServerParameters
 from mcp.shared.exceptions import McpError
 
@@ -62,7 +67,7 @@ def hook(name: str, server_info: types.Implementation) -> str:  # pragma: no cov
         # --- Test Execution ---
         result = await mcp_session_group.call_tool(
             name="server1-my_tool",
-            args={
+            arguments={
                 "name": "value1",
                 "args": {},
             },
@@ -73,6 +78,9 @@ def hook(name: str, server_info: types.Implementation) -> str:  # pragma: no cov
         mock_session.call_tool.assert_called_once_with(
             "my_tool",
             {"name": "value1", "args": {}},
+            read_timeout_seconds=None,
+            progress_callback=None,
+            meta=None,
         )
 
     async def test_connect_to_server(self, mock_exit_stack: contextlib.AsyncExitStack):
@@ -329,7 +337,7 @@ async def test_establish_session_parameterized(
                     (
                         returned_server_info,
                         returned_session,
-                    ) = await group._establish_session(server_params_instance)
+                    ) = await group._establish_session(server_params_instance, ClientSessionParameters())
 
                 # --- Assertions ---
                 # 1. Assert the correct specific client function was called
@@ -357,7 +365,17 @@ async def test_establish_session_parameterized(
                 mock_client_cm_instance.__aenter__.assert_awaited_once()
 
                 # 2. Assert ClientSession was called correctly
-                mock_ClientSession_class.assert_called_once_with(mock_read_stream, mock_write_stream)
+                mock_ClientSession_class.assert_called_once_with(
+                    mock_read_stream,
+                    mock_write_stream,
+                    read_timeout_seconds=None,
+                    sampling_callback=None,
+                    elicitation_callback=None,
+                    list_roots_callback=None,
+                    logging_callback=None,
+                    message_handler=None,
+                    client_info=None,
+                )
                 mock_raw_session_cm.__aenter__.assert_awaited_once()
                 mock_entered_session.initialize.assert_awaited_once()