🤝 fix: Respect Server Token Endpoint Auth Method Preference in MCP OAuth (danny-avila#12052)

* fix(mcp): respect server's token endpoint auth method preference order

* fix(mcp): update token endpoint auth method to client_secret_basic

* fix(mcp): correct auth method to client_secret_basic in OAuth handler

* test(mcp): add tests for OAuth client registration method selection based on server preferences

* refactor(mcp): extract and implement token endpoint auth methods into separate utility functions

- Moved token endpoint authentication method logic from the MCPOAuthHandler to new utility functions in methods.ts for better organization and reusability.
- Added tests for the new methods to ensure correct behavior in selecting and resolving authentication methods based on server preferences and token exchange methods.
- Updated MCPOAuthHandler to utilize the new utility functions, improving code clarity and maintainability.

* chore(mcp): remove redundant comments in OAuth handler

- Cleaned up the MCPOAuthHandler by removing unnecessary comments related to authentication methods, improving code readability and maintainability.

* refactor(mcp): update supported auth methods to use ReadonlySet for better performance

- Changed the SUPPORTED_AUTH_METHODS from an array to a ReadonlySet for improved lookup efficiency.
- Enhanced the logic in selectRegistrationAuthMethod to prioritize credential-based methods and handle cases where the server advertises 'none' correctly, ensuring compliance with RFC 7591.

* test(mcp): add tests for selectRegistrationAuthMethod to handle 'none' and empty array cases

- Introduced new test cases to ensure selectRegistrationAuthMethod correctly prioritizes credential-based methods over 'none' when listed first or before other methods.
- Added a test to verify that an empty token_endpoint_auth_methods_supported returns undefined, adhering to RFC 8414.

* refactor(mcp): streamline authentication method handling in OAuth handler

- Simplified the logic for determining the authentication method by consolidating checks into a single function call.
- Removed redundant checks for supported auth methods, enhancing code clarity and maintainability.
- Updated the request header and body handling based on the resolved authentication method.

* fix(mcp): ensure compliance with RFC 6749 by removing credentials from body when using client_secret_basic

- Updated the MCPOAuthHandler to delete client_id and client_secret from body parameters when using the client_secret_basic authentication method, ensuring adherence to RFC 6749 §2.3.1.

* test(mcp): add tests for OAuth flow handling of client_secret_basic and client_secret_post methods

- Introduced new test cases to verify that the MCPOAuthHandler correctly removes client_id and client_secret from the request body when using client_secret_basic.
- Added tests to ensure proper handling of client_secret_post and none authentication methods, confirming that the correct parameters are included or excluded based on the specified method.
- Enhanced the test suite for completeOAuthFlow to cover various scenarios, ensuring compliance with OAuth 2.0 specifications.

* test(mcp): enhance tests for selectRegistrationAuthMethod and resolveTokenEndpointAuthMethod

- Added new test cases to verify the selection of the first supported credential method from a mixed list in selectRegistrationAuthMethod.
- Included tests to ensure resolveTokenEndpointAuthMethod correctly ignores unsupported preferred methods and handles empty tokenAuthMethods, returning undefined as expected.
- Improved test coverage for various scenarios in the OAuth flow, ensuring compliance with relevant specifications.

---------

Co-authored-by: Dustin Healy <54083382+dustinhealy@users.noreply.github.com>

Author: danny-avila

packages/api/src/mcp/__tests__/handler.test.ts

@@ -1,3 +1,4 @@
+import { TokenExchangeMethodEnum } from 'librechat-data-provider';
 import type { MCPOptions } from 'librechat-data-provider';
 import type { AuthorizationServerMetadata } from '@modelcontextprotocol/sdk/shared/auth.js';
 import { MCPOAuthFlowMetadata, MCPOAuthHandler, MCPOAuthTokens } from '~/mcp/oauth';
@@ -898,7 +899,7 @@ describe('MCPOAuthHandler - Configurable OAuth Metadata', () => {
     it('passes headers to client registration', async () => {
       mockRegisterClient.mockImplementation(async (_, options) => {
         await options.fetchFn?.('http://example.com/register', {});
-        return { client_id: 'test', redirect_uris: [] };
+        return { client_id: 'test', redirect_uris: [], logo_uri: undefined, tos_uri: undefined };
       });
 
       await MCPOAuthHandler.initiateOAuthFlow(
@@ -993,6 +994,308 @@ describe('MCPOAuthHandler - Configurable OAuth Metadata', () => {
     });
   });
 
+  describe('Fetch wrapper client_secret_basic body cleanup', () => {
+    const originalFetch = global.fetch;
+    const mockFetch = jest.fn() as unknown as jest.MockedFunction<typeof fetch>;
+
+    beforeEach(() => {
+      jest.clearAllMocks();
+      global.fetch = mockFetch;
+    });
+
+    afterEach(() => {
+      mockFetch.mockClear();
+    });
+
+    afterAll(() => {
+      global.fetch = originalFetch;
+    });
+
+    it('should remove client_id and client_secret from body when using client_secret_basic via completeOAuthFlow', async () => {
+      const mockFlowManager = {
+        getFlowState: jest.fn().mockResolvedValue({
+          status: 'PENDING',
+          metadata: {
+            serverName: 'test-server',
+            serverUrl: 'https://example.com/mcp',
+            codeVerifier: 'test-verifier',
+            clientInfo: {
+              client_id: 'test-client-id',
+              client_secret: 'test-client-secret',
+              redirect_uris: ['http://localhost:3080/api/mcp/test-server/oauth/callback'],
+              token_endpoint_auth_method: 'client_secret_basic',
+            },
+            metadata: {
+              issuer: 'https://example.com',
+              authorization_endpoint: 'https://example.com/authorize',
+              token_endpoint: 'https://example.com/token',
+              response_types_supported: ['code'],
+              token_endpoint_auth_methods_supported: ['client_secret_basic'],
+            },
+          } as MCPOAuthFlowMetadata,
+        }),
+        completeFlow: jest.fn(),
+      } as unknown as FlowStateManager<MCPOAuthTokens>;
+
+      mockExchangeAuthorization.mockImplementation(async (_, options) => {
+        const body = new URLSearchParams({
+          grant_type: 'authorization_code',
+          code: 'test-auth-code',
+          client_id: 'test-client-id',
+          client_secret: 'test-client-secret',
+        });
+        await options.fetchFn?.('https://example.com/token', {
+          method: 'POST',
+          body,
+        });
+        return { access_token: 'test-token', token_type: 'Bearer', expires_in: 3600 };
+      });
+
+      await MCPOAuthHandler.completeOAuthFlow('test-flow', 'test-auth-code', mockFlowManager, {});
+
+      const callArgs = mockFetch.mock.calls[0];
+      const sentBody = callArgs[1]?.body as string;
+      expect(sentBody).not.toContain('client_id=');
+      expect(sentBody).not.toContain('client_secret=');
+
+      const sentHeaders = callArgs[1]?.headers as Headers;
+      expect(sentHeaders.get('Authorization')).toMatch(/^Basic /);
+    });
+  });
+
+  describe('completeOAuthFlow auth method propagation', () => {
+    const originalFetch = global.fetch;
+    const mockFetch = jest.fn() as unknown as jest.MockedFunction<typeof fetch>;
+
+    beforeEach(() => {
+      jest.clearAllMocks();
+      global.fetch = mockFetch;
+    });
+
+    afterEach(() => {
+      mockFetch.mockClear();
+    });
+
+    afterAll(() => {
+      global.fetch = originalFetch;
+    });
+
+    it('should use client_secret_post when clientInfo specifies that method', async () => {
+      const mockFlowManager = {
+        getFlowState: jest.fn().mockResolvedValue({
+          status: 'PENDING',
+          metadata: {
+            serverName: 'test-server',
+            serverUrl: 'https://example.com/mcp',
+            codeVerifier: 'test-verifier',
+            clientInfo: {
+              client_id: 'test-client-id',
+              client_secret: 'test-client-secret',
+              redirect_uris: ['http://localhost:3080/api/mcp/test-server/oauth/callback'],
+              token_endpoint_auth_method: 'client_secret_post',
+            },
+            metadata: {
+              issuer: 'https://example.com',
+              authorization_endpoint: 'https://example.com/authorize',
+              token_endpoint: 'https://example.com/token',
+              response_types_supported: ['code'],
+              token_endpoint_auth_methods_supported: ['client_secret_post'],
+            },
+          } as MCPOAuthFlowMetadata,
+        }),
+        completeFlow: jest.fn(),
+      } as unknown as FlowStateManager<MCPOAuthTokens>;
+
+      mockExchangeAuthorization.mockImplementation(async (_, options) => {
+        const body = new URLSearchParams({
+          grant_type: 'authorization_code',
+          code: 'test-auth-code',
+        });
+        await options.fetchFn?.('https://example.com/token', {
+          method: 'POST',
+          body,
+        });
+        return { access_token: 'test-token', token_type: 'Bearer', expires_in: 3600 };
+      });
+
+      await MCPOAuthHandler.completeOAuthFlow('test-flow', 'test-auth-code', mockFlowManager, {});
+
+      const callArgs = mockFetch.mock.calls[0];
+      const sentBody = callArgs[1]?.body as string;
+      expect(sentBody).toContain('client_id=test-client-id');
+      expect(sentBody).toContain('client_secret=test-client-secret');
+
+      const sentHeaders = callArgs[1]?.headers as Headers;
+      expect(sentHeaders.has('Authorization')).toBe(false);
+    });
+
+    it('should use none auth when clientInfo has no secret', async () => {
+      const mockFlowManager = {
+        getFlowState: jest.fn().mockResolvedValue({
+          status: 'PENDING',
+          metadata: {
+            serverName: 'test-server',
+            serverUrl: 'https://example.com/mcp',
+            codeVerifier: 'test-verifier',
+            clientInfo: {
+              client_id: 'test-client-id',
+              redirect_uris: ['http://localhost:3080/api/mcp/test-server/oauth/callback'],
+              token_endpoint_auth_method: 'none',
+            },
+            metadata: {
+              issuer: 'https://example.com',
+              authorization_endpoint: 'https://example.com/authorize',
+              token_endpoint: 'https://example.com/token',
+              response_types_supported: ['code'],
+              token_endpoint_auth_methods_supported: ['none'],
+            },
+          } as MCPOAuthFlowMetadata,
+        }),
+        completeFlow: jest.fn(),
+      } as unknown as FlowStateManager<MCPOAuthTokens>;
+
+      mockExchangeAuthorization.mockImplementation(async (_, options) => {
+        const body = new URLSearchParams({
+          grant_type: 'authorization_code',
+          code: 'test-auth-code',
+        });
+        await options.fetchFn?.('https://example.com/token', {
+          method: 'POST',
+          body,
+        });
+        return { access_token: 'test-token', token_type: 'Bearer', expires_in: 3600 };
+      });
+
+      await MCPOAuthHandler.completeOAuthFlow('test-flow', 'test-auth-code', mockFlowManager, {});
+
+      const callArgs = mockFetch.mock.calls[0];
+      const sentBody = callArgs[1]?.body as string;
+      expect(sentBody).toContain('client_id=test-client-id');
+      expect(sentBody).not.toContain('client_secret=');
+
+      const sentHeaders = callArgs[1]?.headers as Headers;
+      expect(sentHeaders.has('Authorization')).toBe(false);
+    });
+  });
+
+  describe('refreshOAuthTokens with forced token_exchange_method', () => {
+    const originalFetch = global.fetch;
+    const mockFetch = jest.fn() as unknown as jest.MockedFunction<typeof fetch>;
+
+    beforeEach(() => {
+      jest.clearAllMocks();
+      global.fetch = mockFetch;
+    });
+
+    afterEach(() => {
+      mockFetch.mockClear();
+    });
+
+    afterAll(() => {
+      global.fetch = originalFetch;
+    });
+
+    it('should force client_secret_post even when server advertises client_secret_basic', async () => {
+      const metadata = {
+        serverName: 'test-server',
+        serverUrl: 'https://auth.example.com',
+        clientInfo: {
+          client_id: 'test-client-id',
+          client_secret: 'test-client-secret',
+          token_endpoint_auth_method: 'client_secret_basic',
+        },
+      };
+
+      mockDiscoverAuthorizationServerMetadata.mockResolvedValueOnce({
+        issuer: 'https://auth.example.com',
+        authorization_endpoint: 'https://auth.example.com/oauth/authorize',
+        token_endpoint: 'https://auth.example.com/oauth/token',
+        token_endpoint_auth_methods_supported: ['client_secret_basic'],
+        response_types_supported: ['code'],
+        jwks_uri: 'https://auth.example.com/.well-known/jwks.json',
+        subject_types_supported: ['public'],
+        id_token_signing_alg_values_supported: ['RS256'],
+      } as AuthorizationServerMetadata);
+
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({
+          access_token: 'new-access-token',
+          refresh_token: 'new-refresh-token',
+          expires_in: 3600,
+        }),
+      } as Response);
+
+      await MCPOAuthHandler.refreshOAuthTokens('refresh-token', metadata, {}, {
+        token_exchange_method: TokenExchangeMethodEnum.DefaultPost,
+      } as MCPOptions['oauth']);
+
+      expect(mockFetch).toHaveBeenCalledWith(
+        'https://auth.example.com/oauth/token',
+        expect.objectContaining({
+          method: 'POST',
+          headers: expect.not.objectContaining({
+            Authorization: expect.any(String),
+          }),
+        }),
+      );
+
+      const callArgs = mockFetch.mock.calls[0];
+      const body = callArgs[1]?.body as URLSearchParams;
+      expect(body.toString()).toContain('client_id=test-client-id');
+      expect(body.toString()).toContain('client_secret=test-client-secret');
+    });
+  });
+
+  describe('revokeOAuthToken with empty auth methods', () => {
+    const originalFetch = global.fetch;
+    const mockFetch = jest.fn() as unknown as jest.MockedFunction<typeof fetch>;
+
+    beforeEach(() => {
+      jest.clearAllMocks();
+      global.fetch = mockFetch;
+    });
+
+    afterEach(() => {
+      mockFetch.mockClear();
+    });
+
+    afterAll(() => {
+      global.fetch = originalFetch;
+    });
+
+    it('should send no client credentials when revocationEndpointAuthMethodsSupported is empty', async () => {
+      const metadata = {
+        serverUrl: 'https://auth.example.com',
+        clientId: 'test-client-id',
+        clientSecret: 'test-client-secret',
+        revocationEndpoint: 'https://auth.example.com/oauth/revoke',
+        revocationEndpointAuthMethodsSupported: [] as string[],
+      };
+
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+      } as Response);
+
+      await MCPOAuthHandler.revokeOAuthToken('test-server', 'test-token', 'access', metadata);
+
+      expect(mockFetch).toHaveBeenCalledWith(
+        expect.any(URL),
+        expect.objectContaining({
+          headers: expect.not.objectContaining({
+            Authorization: expect.any(String),
+          }),
+        }),
+      );
+
+      const callArgs = mockFetch.mock.calls[0];
+      const body = callArgs[1]?.body as string;
+      expect(body).not.toContain('client_id=');
+      expect(body).not.toContain('client_secret=');
+    });
+  });
+
   describe('Fallback OAuth Metadata (Legacy Server Support)', () => {
     const originalFetch = global.fetch;
     const mockFetch = jest.fn();
@@ -1020,6 +1323,8 @@ describe('MCPOAuthHandler - Configurable OAuth Metadata', () => {
         client_id: 'dynamic-client-id',
         client_secret: 'dynamic-client-secret',
         redirect_uris: ['http://localhost:3080/api/mcp/test-server/oauth/callback'],
+        logo_uri: undefined,
+        tos_uri: undefined,
       });
 
       // Mock startAuthorization to return a successful response