Skip to content

fix: Token endpoint response for invalid_client #1481

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: Token endpoint response for invalid_client #1481

wants to merge 1 commit into from
+1 −1

Conversation

AnkeshThakur
Copy link

@AnkeshThakur AnkeshThakur commented Oct 14, 2025
edited
Loading

Fix RFC 6749 compliance: return invalid_client error for client authentication failures instead of unauthorized_client.

This fixes #1480

Motivation and Context

The token endpoint returns incorrect error code when client authentication fails (wrong credentials, unknown client_id). Per RFC 6749 Section 5.2:

  • invalid_client = Client authentication failed
  • unauthorized_client = Client authenticated successfully but not authorized for grant type

Current code incorrectly returns unauthorized_client when catching AuthenticationError, which represents authentication failure, not authorization failure.

How Has This Been Tested?

  • All existing auth integration tests pass (33 tests)
  • Used forked repo to test the behavior with fastmcp

Breaking Changes

Client would receive invalid_client instead of unauthorized_client with same http status code. Scenarios where client is changing its behavior based on error_code then breaking change is expected. If the client is already following RFC 6749 then it should not impact.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)

  • New feature (non-breaking change which adds functionality)

  • Breaking change (fix or feature that would cause existing functionality to change)

  • Documentation update

    Checklist

    • I have read the MCP Documentation
    • My code follows the repository's style guidelines
    • New and existing tests pass locally
    • I have added appropriate error handling
    • I have added or updated documentation as needed

Additional context

The implementation advertises: token_endpoint_auth_methods_supported=["client_secret_post"]

This means clients authenticate by including credentials in the request body (form parameters), not via HTTP Basic Authentication.

The RFC states:

The authorization server responds with an HTTP 400 (Bad Request) status code (unless specified otherwise) and includes the following parameters with the response... If the client attempted to authenticate via the "Authorization"
request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field.

Since only form-based authentication (client_secret_post) is supported and no Authorization headers are processed, the HTTP 400 status code for the token endpoint should be acceptable.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant

@AnkeshThakur