Fix OAuth2 client_id type errors

claude · claude · commit 28911aa0985a · 2025-11-04T03:01:25.000Z
Add explicit None checks for client_id fields before passing to functions
that expect str. This fixes type errors where str | None was being passed
to parameters that require str.

Changes:
- simple_auth_provider.py: Add client_id validation in exchange_client_credentials and exchange_token
- oauth2.py: Add client_id check at start of _apply_client_auth method
- test_auth_integration.py: Add assertions for client_id not being None in test mock methods

This ensures proper type safety and prevents potential None dereference errors.
diff --git a/examples/servers/simple-auth/mcp_simple_auth/simple_auth_provider.py b/examples/servers/simple-auth/mcp_simple_auth/simple_auth_provider.py
@@ -244,6 +244,8 @@ async def exchange_authorization_code(
 
     async def exchange_client_credentials(self, client: OAuthClientInformationFull, scopes: list[str]) -> OAuthToken:
         """Exchange client credentials for an MCP access token."""
+        if not client.client_id:
+            raise ValueError("No client_id provided")
         mcp_token = f"mcp_{secrets.token_hex(32)}"
         self.tokens[mcp_token] = AccessToken(
             token=mcp_token,
@@ -272,6 +274,8 @@ async def exchange_token(
         """Exchange an external token for an MCP access token."""
         if not subject_token:
             raise ValueError("Invalid subject token")
+        if not client.client_id:
+            raise ValueError("No client_id provided")
 
         mcp_token = f"mcp_{secrets.token_hex(32)}"
         self.tokens[mcp_token] = AccessToken(
diff --git a/src/mcp/client/auth/oauth2.py b/src/mcp/client/auth/oauth2.py
@@ -256,6 +256,8 @@ def _apply_client_auth(
         headers: dict[str, str],
         client_info: OAuthClientInformationFull,
     ) -> None:
+        if not client_info.client_id:
+            raise OAuthFlowError("Client ID is required")
         auth_method = "client_secret_post"
         if self._metadata and self._metadata.token_endpoint_auth_methods_supported:
             supported = self._metadata.token_endpoint_auth_methods_supported
diff --git a/tests/server/fastmcp/auth/test_auth_integration.py b/tests/server/fastmcp/auth/test_auth_integration.py
@@ -160,6 +160,7 @@ async def exchange_refresh_token(
         )
 
     async def exchange_client_credentials(self, client: OAuthClientInformationFull, scopes: list[str]) -> OAuthToken:
+        assert client.client_id is not None
         access_token = f"access_{secrets.token_hex(32)}"
         self.tokens[access_token] = AccessToken(
             token=access_token,
@@ -188,6 +189,7 @@ async def exchange_token(
         if subject_token == "bad_token":
             raise TokenError("invalid_grant", "invalid subject token")
 
+        assert client.client_id is not None
         access_token = f"exchanged_{secrets.token_hex(32)}"
         self.tokens[access_token] = AccessToken(
             token=access_token,
