fix(auth): accept empty optional OAuth client metadata URLs

[mrutunjay-kinagi]

Summary

• normalize empty-string optional URL fields in OAuthClientMetadata to None before URL validation
• keep existing URL validation rules for non-empty values
• add a regression test for empty client_uri/logo_uri/tos_uri/policy_uri/jwks_uri inputs

Why

Fixes validation failures when auth servers emit empty strings for optional client metadata URL fields.

Closes #1665

Validation

• pytest -q tests/client/test_auth.py -k "empty_optional_uris"
• ruff check src/mcp/shared/auth.py tests/client/test_auth.py
• ruff format --check src/mcp/shared/auth.py tests/client/test_auth.py

[mrutunjay-kinagi]

Follow-up pushed in e9a78ec to fix the pre-commit failure by validating the empty-URI fixture via (runtime path) instead of passing empty strings directly to typed constructor params.

[mrutunjay-kinagi]

Follow-up pushed in e9a78ec to fix the pre-commit pyright failure.

Change made:

• Updated the empty-URI regression test to use OAuthClientMetadata.model_validate({...}) so empty strings are exercised through runtime validation without violating static constructor type checks.

[mrutunjay-kinagi]

All checks are now passing on the latest commit (e9a78ec).

Ready for maintainer review when you have bandwidth. Thanks!

[Kludex]

Where in the RFC it says that empty is not valid?

[mrutunjay-kinagi]

Good question.

The RFC language we based this on is RFC 7591 §2 for these fields (client_uri, logo_uri, tos_uri, policy_uri, jwks_uri):

• they are optional metadata fields,
• but if present they are "URL string" fields and "MUST point to a valid ..." target.

Examples from §2:

• client_uri: "MUST point to a valid web page"
• logo_uri: "MUST point to a valid image file"
• tos_uri/policy_uri: "MUST point to a valid web page"
• jwks_uri: "MUST point to a valid JWK Set document"

So this change is not treating "" as a valid URL. It normalizes empty-string placeholders to None (effectively omitted) before URL validation, which keeps the RFC "if present, must be valid" rule while improving interop with providers that emit empty strings for optional fields.

[Kludex]

Link please.

[mrutunjay-kinagi]

Absolutely — here are the direct references:

• RFC 7591, Section 2 (Client Metadata): https://www.rfc-editor.org/rfc/rfc7591#section-2
• Datatracker view (same section): https://datatracker.ietf.org/doc/html/rfc7591#section-2

In that section, for these optional fields (client_uri, logo_uri, tos_uri, policy_uri, jwks_uri), the text says that if present they are URL strings and must point to valid targets (web page/image/JWK set).

[Kludex]

I don't think this needs any fixing. The client side sending empty string in a field is the wrong behavior.