fix(auth): pad EC P-256 JWK coordinates to fixed 32 bytes

nypdmax · nypdmax · commit 24bd45bc896d · 2026-02-06T11:13:07.000+08:00
Also sync grant_types_supported test assertions with 6cf977b.
diff --git a/src/mcp/client/auth/dpop.py b/src/mcp/client/auth/dpop.py
@@ -26,9 +26,19 @@
 _RSA_PUBLIC_EXPONENT = 65537
 
 
-def _int_to_base64url(num: int) -> str:
-    """Encode integer to base64url without padding."""
-    size = (num.bit_length() + _BITS_PER_BYTE - 1) // _BITS_PER_BYTE
+def _int_to_base64url(num: int, *, fixed_length: int | None = None) -> str:
+    """Encode integer to base64url without padding.
+
+    Args:
+        num: Non-negative integer to encode.
+        fixed_length: If set, pad the big-endian representation to exactly
+            this many bytes.  Required for EC coordinates where RFC 7518 §6.2.1
+            mandates a fixed octet length (e.g. 32 for P-256).
+    """
+    if fixed_length is not None:
+        size = fixed_length
+    else:
+        size = (num.bit_length() + _BITS_PER_BYTE - 1) // _BITS_PER_BYTE
     data = num.to_bytes(size, "big")
     return base64.urlsafe_b64encode(data).decode().rstrip("=")
 
@@ -107,11 +117,13 @@ def _key_to_jwk(key: EllipticCurvePrivateKey | RSAPrivateKey) -> dict[str, Any]:
     if isinstance(key, EllipticCurvePrivateKey):
         pub = key.public_key()
         nums = pub.public_numbers()
+        # P-256 coordinates must be exactly 32 bytes per RFC 7518 §6.2.1.2
+        ec_coord_length = 32
         return {
             "kty": "EC",
             "crv": "P-256",
-            "x": _int_to_base64url(nums.x),
-            "y": _int_to_base64url(nums.y),
+            "x": _int_to_base64url(nums.x, fixed_length=ec_coord_length),
+            "y": _int_to_base64url(nums.y, fixed_length=ec_coord_length),
         }
     # key is RSAPrivateKey (union type)
     pub = key.public_key()
diff --git a/tests/client/test_auth.py b/tests/client/test_auth.py
@@ -1346,7 +1346,7 @@ def test_build_metadata(
             "token_endpoint": Is(token_endpoint),
             "registration_endpoint": Is(registration_endpoint),
             "scopes_supported": ["read", "write", "admin"],
-            "grant_types_supported": ["authorization_code", "refresh_token"],
+            "grant_types_supported": ["authorization_code", "refresh_token", "client_credentials"],
             "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
             "service_documentation": Is(service_documentation_url),
             "revocation_endpoint": Is(revocation_endpoint),
diff --git a/tests/server/mcpserver/auth/test_auth_integration.py b/tests/server/mcpserver/auth/test_auth_integration.py
@@ -322,6 +322,7 @@ async def test_metadata_endpoint(self, test_client: httpx.AsyncClient):
         assert metadata["grant_types_supported"] == [
             "authorization_code",
             "refresh_token",
+            "client_credentials",
         ]
         assert metadata["service_documentation"] == "https://docs.example.com/"
 

Original file line number	Diff line number	Diff line change
`@@ -322,6 +322,7 @@ async def test_metadata_endpoint(self, test_client: httpx.AsyncClient):`
`322`	`322`	`assert metadata["grant_types_supported"] == [`
`323`	`323`	`"authorization_code",`
`324`	`324`	`"refresh_token",`
	`325`	`+ "client_credentials",`
`325`	`326`	`]`
`326`	`327`	`assert metadata["service_documentation"] == "https://docs.example.com/"`
`327`	`328`