test: update unit test

Author: challenger71498

tests/server/fastmcp/auth/test_auth_integration.py

@@ -1117,7 +1117,7 @@ async def test_wrong_auth_method_without_valid_credentials_fails(
         )
 
         # Try to use Basic auth when client_secret_post is registered (without secret in body)
-        # This should fail because the secret is missing from the expected location
+        # This should fail despite that credentials are provided via Basic auth, because the method is wrong
 
         credentials = f"{client_info['client_id']}:{client_info['client_secret']}"
         encoded_credentials = base64.b64encode(credentials.encode()).decode()
@@ -1138,7 +1138,7 @@ async def test_wrong_auth_method_without_valid_credentials_fails(
         error_response = response.json()
         # RFC 6749: authentication failures return "invalid_client"
         assert error_response["error"] == "invalid_client"
-        assert "Client secret is required" in error_response["error_description"]
+        assert "Expected client_secret_post authentication method" in error_response["error_description"]
 
     @pytest.mark.anyio
     async def test_basic_auth_without_header_fails(
@@ -1183,7 +1183,7 @@ async def test_basic_auth_without_header_fails(
         error_response = response.json()
         # RFC 6749: authentication failures return "invalid_client"
         assert error_response["error"] == "invalid_client"
-        assert "Missing or invalid Basic authentication" in error_response["error_description"]
+        assert "Expected client_secret_basic authentication method" in error_response["error_description"]
 
     @pytest.mark.anyio
     async def test_basic_auth_invalid_base64_fails(
@@ -1279,10 +1279,10 @@ async def test_basic_auth_no_colon_fails(
         assert "Invalid Basic authentication header" in error_response["error_description"]
 
     @pytest.mark.anyio
-    async def test_basic_auth_client_id_mismatch_fails(
+    async def test_basic_auth_takes_precedence(
         self, test_client: httpx.AsyncClient, mock_oauth_provider: MockOAuthProvider, pkce_challenge: dict[str, str]
     ):
-        """Test that client_id mismatch between body and Basic auth fails."""
+        """Test that even client_id at body is invalid, Basic auth passes because of the priority."""
         client_metadata = {
             "redirect_uris": ["https://client.example.com/callback"],
             "client_name": "Basic Auth Client",
@@ -1308,23 +1308,21 @@ async def test_basic_auth_client_id_mismatch_fails(
         # Send different client_id in Basic auth header
         import base64
 
-        wrong_creds = base64.b64encode(f"wrong-client-id:{client_info['client_secret']}".encode()).decode()
+        creds = base64.b64encode(f"{client_info['client_id']}:{client_info['client_secret']}".encode()).decode()
         response = await test_client.post(
             "/token",
-            headers={"Authorization": f"Basic {wrong_creds}"},
+            headers={"Authorization": f"Basic {creds}"},
             data={
                 "grant_type": "authorization_code",
-                "client_id": client_info["client_id"],  # Correct client_id in body
+                "client_id": "wrong-client-id",  # Wrong client_id in body
                 "code": auth_code,
                 "code_verifier": pkce_challenge["code_verifier"],
                 "redirect_uri": "https://client.example.com/callback",
             },
         )
-        assert response.status_code == 401
-        error_response = response.json()
-        # RFC 6749: authentication failures return "invalid_client"
-        assert error_response["error"] == "invalid_client"
-        assert "Client ID mismatch" in error_response["error_description"]
+
+        # Header takes precedence, so this should succeed
+        assert response.status_code == 200
 
     @pytest.mark.anyio
     async def test_basic_auth_without_client_id_at_body(