fix: retrieve client_id first then compare auth method

challenger71498 · challenger71498 · commit 85ce44b8ee8c · 2026-01-11T19:01:43.000+09:00
Retrieve client_id from auth header or the body, then retrieve client via that client_id.

After that, compare auth method.
diff --git a/src/mcp/server/auth/middleware/client_auth.py b/src/mcp/server/auth/middleware/client_auth.py
@@ -60,61 +60,33 @@ async def authenticate_request(self, request: Request) -> OAuthClientInformation
         Raises:
             AuthenticationError: If authentication fails
         """
-        form_data = await request.form()
-        client_id = form_data.get("client_id")
-        if not client_id:
-            raise AuthenticationError("Missing client_id")
-
-        client = await self.provider.get_client(str(client_id))
+        client_credentials = await self._get_credentials(request)
+        client = await self.provider.get_client(str(client_credentials.client_id))
         if not client:
             raise AuthenticationError("Invalid client_id")  # pragma: no cover
 
-        request_client_secret: str | None = None
-        auth_header = request.headers.get("Authorization", "")
-
-        if client.token_endpoint_auth_method == "client_secret_basic":
-            if not auth_header.startswith("Basic "):
-                raise AuthenticationError("Missing or invalid Basic authentication in Authorization header")
-
-            try:
-                encoded_credentials = auth_header[6:]  # Remove "Basic " prefix
-                decoded = base64.b64decode(encoded_credentials).decode("utf-8")
-                if ":" not in decoded:
-                    raise ValueError("Invalid Basic auth format")
-                basic_client_id, request_client_secret = decoded.split(":", 1)
-
-                # URL-decode both parts per RFC 6749 Section 2.3.1
-                basic_client_id = unquote(basic_client_id)
-                request_client_secret = unquote(request_client_secret)
-
-                if basic_client_id != client_id:
-                    raise AuthenticationError("Client ID mismatch in Basic auth")
-            except (ValueError, UnicodeDecodeError, binascii.Error):
-                raise AuthenticationError("Invalid Basic authentication header")
-
-        elif client.token_endpoint_auth_method == "client_secret_post":
-            raw_form_data = form_data.get("client_secret")
-            # form_data.get() can return a UploadFile or None, so we need to check if it's a string
-            if isinstance(raw_form_data, str):
-                request_client_secret = str(raw_form_data)
-
-        elif client.token_endpoint_auth_method == "none":
-            request_client_secret = None
-        else:
-            raise AuthenticationError(  # pragma: no cover
-                f"Unsupported auth method: {client.token_endpoint_auth_method}"
-            )
+        match client.token_endpoint_auth_method:
+            case "client_secret_basic":
+                if client_credentials.auth_method != "client_secret_basic":
+                    raise AuthenticationError(f"Expected client_secret_basic authentication method, but got {client_credentials.auth_method}")
+            case "client_secret_post":
+                if client_credentials.auth_method != "client_secret_post":
+                    raise AuthenticationError(f"Expected client_secret_post authentication method, but got {client_credentials.auth_method}")
+            case "none":
+                pass
+            case _:
+                raise AuthenticationError(f"Unsupported auth method: {client.token_endpoint_auth_method}")  # pragma: no cover
 
         # If client from the store expects a secret, validate that the request provides
         # that secret
         if client.client_secret:  # pragma: no branch
-            if not request_client_secret:
+            if not client_credentials.client_secret:
                 raise AuthenticationError("Client secret is required")  # pragma: no cover
 
             # hmac.compare_digest requires that both arguments are either bytes or a `str` containing
             # only ASCII characters. Since we do not control `request_client_secret`, we encode both
             # arguments to bytes.
-            if not hmac.compare_digest(client.client_secret.encode(), request_client_secret.encode()):
+            if not hmac.compare_digest(client.client_secret.encode(), client_credentials.client_secret.encode()):
                 raise AuthenticationError("Invalid client_secret")  # pragma: no cover
 
             if client.client_secret_expires_at and client.client_secret_expires_at < int(time.time()):
