modelcontextprotocol · coding-bobo · May 12, 2026 · May 12, 2026 · May 12, 2026 · May 12, 2026
diff --git a/examples/clients/typescript/auth-test-wif-expired-assertion.ts b/examples/clients/typescript/auth-test-wif-expired-assertion.ts
@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+
+/**
+ * Broken WIF client: presents a JWT that is already expired.
+ * BUG: Uses expired_jwt instead of valid_jwt — server rejects with invalid_grant.
+ */
+
+import { runWifJwtBearerExpiredAssertion } from './everything-client.js';
+import { runAsCli } from './helpers/cliRunner.js';
+
+runAsCli(
+  runWifJwtBearerExpiredAssertion,
+  import.meta.url,
+  'auth-test-wif-expired-assertion <server-url>'
+);
diff --git a/examples/clients/typescript/auth-test-wif-grant-fallback.ts b/examples/clients/typescript/auth-test-wif-grant-fallback.ts
@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+
+/**
+ * Broken WIF client: falls back to authorization_code after receiving unauthorized_client.
+ * BUG: switches grant type instead of surfacing the error.
+ */
+
+import { runWifJwtBearerGrantFallback } from './everything-client.js';
+import { runAsCli } from './helpers/cliRunner.js';
+
+runAsCli(
+  runWifJwtBearerGrantFallback,
+  import.meta.url,
+  'auth-test-wif-grant-fallback <server-url>'
+);
diff --git a/examples/clients/typescript/auth-test-wif-no-assertion.ts b/examples/clients/typescript/auth-test-wif-no-assertion.ts
@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+
+/**
+ * Broken WIF client: omits the assertion parameter from the token request.
+ * BUG: Does not include assertion in JWT-bearer grant — server rejects with invalid_request.
+ */
+
+import { runWifJwtBearerMissingAssertion } from './everything-client.js';
+import { runAsCli } from './helpers/cliRunner.js';
+
+runAsCli(
+  runWifJwtBearerMissingAssertion,
+  import.meta.url,
+  'auth-test-wif-no-assertion <server-url>'
+);
diff --git a/examples/clients/typescript/auth-test-wif-retry.ts b/examples/clients/typescript/auth-test-wif-retry.ts
@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+
+/**
+ * Broken WIF client: retries JWT-bearer after receiving unauthorized_client.
+ * BUG: retries instead of surfacing the error.
+ */
+
+import { runWifJwtBearerRetry } from './everything-client.js';
+import { runAsCli } from './helpers/cliRunner.js';
+
+runAsCli(
+  runWifJwtBearerRetry,
+  import.meta.url,
+  'auth-test-wif-retry <server-url>'
+);
diff --git a/examples/clients/typescript/auth-test-wif-scope-rejected.ts b/examples/clients/typescript/auth-test-wif-scope-rejected.ts
@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+
+/**
+ * Broken WIF client: requests a scope the AS does not permit for JWT-bearer grant.
+ * BUG: Includes 'wif.rejected' in the scope parameter — AS returns invalid_scope.
+ */
+
+import { runWifJwtBearerScopeRejected } from './everything-client.js';
+import { runAsCli } from './helpers/cliRunner.js';
+
+runAsCli(
+  runWifJwtBearerScopeRejected,
+  import.meta.url,
+  'auth-test-wif-scope-rejected <server-url>'
+);
diff --git a/examples/clients/typescript/auth-test-wif-wrong-audience.ts b/examples/clients/typescript/auth-test-wif-wrong-audience.ts
@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+
+/**
+ * Broken WIF client: presents a JWT with the wrong audience.
+ * BUG: Uses wrong_audience_jwt instead of valid_jwt — server rejects with invalid_grant.
+ */
+
+import { runWifJwtBearerWrongAudience } from './everything-client.js';
+import { runAsCli } from './helpers/cliRunner.js';
+
+runAsCli(
+  runWifJwtBearerWrongAudience,
+  import.meta.url,
+  'auth-test-wif-wrong-audience <server-url>'
+);