Skip to content

[WIP] Add OAuth client_credentials grant for machine-to-machine auth#188

Open
jancurn wants to merge 2 commits intomainfrom
claude/check-oauth-support-UCq66
Open

[WIP] Add OAuth client_credentials grant for machine-to-machine auth#188
jancurn wants to merge 2 commits intomainfrom
claude/check-oauth-support-UCq66

Conversation

@jancurn
Copy link
Copy Markdown
Member

@jancurn jancurn commented Apr 17, 2026
edited
Loading

Summary

  • Adds --grant client-credentials to mcpc login for non-interactive M2M authentication (MCP extension spec)
  • Tokens are re-issued automatically when they expire — no browser, no user interaction
  • Client ID and secret are stored in the OS keychain; token endpoint is cached in the profile

Usage

mcpc login mcp.example.com --grant client-credentials \
  --client-id my-service --client-secret "$SECRET" \
  [--scope "tools:read"] [--token-endpoint https://auth.example.com/token]

mcpc connect mcp.example.com @svc
mcpc @svc tools-list

Changes

New files

  • src/lib/auth/client-credentials-flow.ts — discovers token endpoint, POSTs grant_type=client_credentials, persists credentials + tokens to keychain, writes profile metadata

Modified files

  • src/lib/auth/oauth-utils.ts — new requestClientCredentialsToken() function
  • src/lib/auth/oauth-token-manager.tsgrantType option (refresh_token | client_credentials); re-issues tokens via client credentials when refresh token is absent
  • src/lib/auth/token-refresh.ts — handles authType: 'oauth-client-credentials' profiles
  • src/lib/types.tsAuthProfile.authType union expanded; AuthCredentials IPC extended with grantType, clientSecret, scope, tokenEndpoint, accessTokenExpiresAt
  • src/bridge/index.ts — bridge initializes token manager in client_credentials mode; persists re-issued tokens to keychain
  • src/lib/bridge-manager.ts — forwards client secret, token endpoint, scope, and grant type to bridge via IPC
  • src/lib/bridge-client.tssendAuthCredentials now uses the AuthCredentials type directly
  • src/cli/commands/auth.ts — routes --grant client-credentials to the new flow; validates flag combinations
  • src/cli/index.ts--grant and --token-endpoint options on login command; updated help text
  • src/cli/commands/sessions.ts — profile listing tags [client-credentials] profiles
  • README.md — new "Machine-to-machine authentication" section
  • CHANGELOG.md — entry under [Unreleased]

Tests

  • test/unit/lib/auth/oauth-utils.test.ts — 4 new tests for requestClientCredentialsToken() covering request body, scope, 401, and 5xx errors

Test plan

  • npm run build passes
  • npm run lint passes
  • npm run test:unit — 536/536 tests pass
  • mcpc login --help shows new --grant and --token-endpoint options
  • mcpc login <url> --grant bogus → clear error
  • mcpc login <url> --grant client-credentials without --client-id/--client-secret → clear error
  • E2E: mcpc login <server> --grant client-credentials --client-id X --client-secret Y against a real OAuth server

https://claude.ai/code/session_01E96muBqt36zJHubmGFUWfB

@claude
Add support for OAuth client_credentials grant (machine-to-machine)
c5a661d 
Implements https://modelcontextprotocol.io/extensions/auth/oauth-client-credentials
for non-interactive authentication in CI pipelines, service accounts, and
other automation contexts. No browser required.

Usage:
  mcpc login <server> --grant client-credentials \
    --client-id <id> --client-secret <secret> \
    [--scope "..."] [--token-endpoint <url>]

mcpc persists client_id/client_secret in the OS keychain and re-issues
access tokens automatically when they expire.
@jancurn jancurn force-pushed the claude/check-oauth-support-UCq66 branch from a11ee28 to c5a661d Compare April 18, 2026 00:13
@jancurn jancurn changed the title Add OAuth 2.1 client_credentials grant support for machine-to-machine auth Add OAuth client_credentials grant for machine-to-machine auth Apr 18, 2026
@claude
Add e2e test for OAuth client_credentials grant
5272a19 
- Add mock OAuth endpoints to test server: /.well-known/oauth-authorization-server
  for discovery and /token for the client_credentials grant. Configurable via
  OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET, OAUTH_TOKEN env vars.
- Auth check now validates the actual token value (not just presence of Bearer prefix).
- New test suite (14 tests): login flow, profile metadata, session usage (tools-list,
  tools-call), --scope, --json output, validation errors, wrong credentials,
  credential leak check in --verbose, --help output.

https://claude.ai/code/session_01E96muBqt36zJHubmGFUWfB
@jancurn jancurn changed the title Add OAuth client_credentials grant for machine-to-machine auth [WIP] Add OAuth client_credentials grant for machine-to-machine auth Apr 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jancurn @apify-service-account @claude