|
33 | 33 | - [Completions](#completions) |
34 | 34 | - [Elicitation](#elicitation) |
35 | 35 | - [Authentication](#authentication) |
36 | | - - [Token Introspection](#token-introspection) |
37 | 36 | - [Running Your Server](#running-your-server) |
38 | 37 | - [Development Mode](#development-mode) |
39 | 38 | - [Claude Desktop Integration](#claude-desktop-integration) |
|
45 | 44 | - [Advanced Usage](#advanced-usage) |
46 | 45 | - [Low-Level Server](#low-level-server) |
47 | 46 | - [Writing MCP Clients](#writing-mcp-clients) |
48 | | - - [OAuth Authentication for Clients](#oauth-authentication-for-clients) |
49 | | - - [Client Credentials Grant](#client-credentials-grant) |
50 | 47 | - [MCP Primitives](#mcp-primitives) |
51 | 48 | - [Server Capabilities](#server-capabilities) |
52 | 49 | - [Documentation](#documentation) |
@@ -463,39 +460,6 @@ For a complete example with separate Authorization Server and Resource Server im |
463 | 460 |
|
464 | 461 | See [TokenVerifier](src/mcp/server/auth/provider.py) for more details on implementing token validation. |
465 | 462 |
|
466 | | -### Token Introspection |
467 | | - |
468 | | -The SDK provides `IntrospectionTokenVerifier` for servers that validate |
469 | | -tokens via an OAuth 2.0 introspection endpoint. This verifier performs |
470 | | -an HTTP POST to the configured endpoint and checks the returned token |
471 | | -metadata. When combined with the `--oauth-strict` flag in the example |
472 | | -server, it also enforces RFC 8707 resource validation. |
473 | | - |
474 | | -```python |
475 | | -from examples.servers.simple_auth.token_verifier import IntrospectionTokenVerifier |
476 | | -from mcp.server.fastmcp import FastMCP |
477 | | -from mcp.server.auth.settings import AuthSettings |
478 | | - |
479 | | -verifier = IntrospectionTokenVerifier( |
480 | | - introspection_endpoint="http://localhost:9000/introspect", |
481 | | - server_url="http://localhost:8001", |
482 | | - validate_resource=True, # same as --oauth-strict |
483 | | -) |
484 | | - |
485 | | -app = FastMCP( |
486 | | - "MCP Resource Server", |
487 | | - token_verifier=verifier, |
488 | | - auth=AuthSettings( |
489 | | - issuer_url="http://localhost:9000", |
490 | | - resource_server_url="http://localhost:8001", |
491 | | - required_scopes=["mcp:read"], |
492 | | - ), |
493 | | -) |
494 | | -``` |
495 | | - |
496 | | -See [`examples/servers/simple-auth/`](examples/servers/simple-auth/) for a full |
497 | | -demonstration. |
498 | | - |
499 | 463 | ## Running Your Server |
500 | 464 |
|
501 | 465 | ### Development Mode |
@@ -1125,30 +1089,6 @@ async def main(): |
1125 | 1089 |
|
1126 | 1090 | For a complete working example, see [`examples/clients/simple-auth-client/`](examples/clients/simple-auth-client/). |
1127 | 1091 |
|
1128 | | -### Client Credentials Grant |
1129 | | - |
1130 | | -Machine clients that do not require a user interaction can authenticate using |
1131 | | -the OAuth2 *client credentials* grant. Use `ClientCredentialsProvider` to |
1132 | | -obtain and refresh access tokens automatically. |
1133 | | - |
1134 | | -```python |
1135 | | -from mcp.client.auth import ClientCredentialsProvider, OAuthClientMetadata |
1136 | | - |
1137 | | -auth = ClientCredentialsProvider( |
1138 | | - server_url="https://api.example.com", |
1139 | | - client_metadata=OAuthClientMetadata( |
1140 | | - client_name="My Machine Client", |
1141 | | - grant_types=["client_credentials"], |
1142 | | - ), |
1143 | | - storage=CustomTokenStorage(), |
1144 | | -) |
1145 | | -``` |
1146 | | - |
1147 | | -`TokenExchangeProvider` builds on this to implement the RFC 8693 |
1148 | | -`token_exchange` grant when you need to exchange an existing user token for an |
1149 | | -MCP token. |
1150 | | - |
1151 | | - |
1152 | 1092 | ### MCP Primitives |
1153 | 1093 |
|
1154 | 1094 | The MCP protocol defines three core primitives that servers can implement: |
|
0 commit comments