Skip to content

Add conformance auth server for OAuth server authentication testing#1855

Draft
pcarleton wants to merge 3 commits intomainfrom
pcarleton/conformance-auth-server
Draft

Add conformance auth server for OAuth server authentication testing#1855
pcarleton wants to merge 3 commits intomainfrom
pcarleton/conformance-auth-server

Conversation

@pcarleton
Copy link
Member

@pcarleton pcarleton commented Jan 14, 2026
edited
Loading

Summary

Adds a new example server that implements OAuth bearer token authentication for use with the MCP conformance test framework's server auth tests (see modelcontextprotocol/conformance#105).

What's New

  • New server: examples/servers/conformance-auth-server/
    • Returns 401 with WWW-Authenticate header for unauthenticated requests
    • Serves Protected Resource Metadata at /.well-known/oauth-protected-resource
    • Uses OAuth 2.0 Token Introspection (RFC 7662) to validate tokens against the authorization server
    • Implements echo and test-tool tools for testing authenticated calls

Token Validation

The server validates tokens using proper token introspection:

  1. Discovers the introspection endpoint from AS metadata
  2. Calls the introspection endpoint with the Bearer token
  3. Returns AccessToken if active=true, rejects otherwise

This ensures proper integration with the authorization server rather than relying on hardcoded token patterns.

Usage

# Run the server
MCP_CONFORMANCE_AUTH_SERVER_URL=http://localhost:3000 \
  uv run --directory examples/servers/conformance-auth-server mcp-conformance-auth-server

# Run with conformance tests
npx @modelcontextprotocol/conformance server --suite auth \
  --auth-command 'uv run --directory examples/servers/conformance-auth-server mcp-conformance-auth-server'

Testing

Tested against conformance PR #105 - all 18 checks pass:

=== SUMMARY ===
✓ server-auth/basic-dcr-flow: 18 passed, 0 failed

@pcarleton
Add conformance auth server for OAuth server authentication testing
327930f 
Adds a new example server that implements OAuth bearer token authentication
for use with the MCP conformance test framework's server auth tests.

The server:
- Returns 401 with WWW-Authenticate header for unauthenticated requests
- Serves Protected Resource Metadata at /.well-known/oauth-protected-resource
- Validates tokens starting with 'test-token' or 'cc-token'
- Implements echo and test-tool tools for testing authenticated calls

Usage:
  MCP_CONFORMANCE_AUTH_SERVER_URL=http://localhost:3000 \
    uv run mcp-conformance-auth-server
@pcarleton
Update uv.lock for conformance-auth-server
a5c7e7c
@pcarleton
Use token introspection instead of hardcoded token validation
ca0c774 
Replace the hardcoded token prefix validation with OAuth 2.0 Token
Introspection (RFC 7662). The server now:
- Discovers the introspection endpoint from AS metadata
- Calls the introspection endpoint to validate each token
- Extracts client_id, scopes, and expiry from the response

This properly integrates with the authorization server rather than
relying on hardcoded token patterns.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pcarleton