chore(examples): harden multiprotocol client/script flows

Make api_key and mutual_tls runs non-interactive with clear PASS/FAIL, add oauth_dpop mode wiring, and allow forcing mutual_tls protocol injection for placeholder coverage.

Author: nypdmax

examples/clients/simple-auth-multiprotocol-client/mcp_simple_auth_multiprotocol_client/main.py

@@ -233,10 +233,16 @@ async def redirect_handler(url: str) -> None:
             protocols.append(oauth_protocol)
             print(f"OAuth protocol enabled (DPoP: {self.dpop_enabled})")
 
-        # Always add API Key and mTLS as fallback
-        api_key = os.getenv("MCP_API_KEY", "demo-api-key-12345")
-        protocols.append(ApiKeyProtocol(api_key=api_key))
-        protocols.append(MutualTlsPlaceholderProtocol())
+        # Add non-OAuth protocols. Allow forcing protocol injection for integration tests.
+        forced = os.getenv("MCP_AUTH_PROTOCOL", os.getenv("MCP_PHASE2_PROTOCOL", "")).strip().lower()
+        if forced in ("mutual_tls", "mtls"):
+            # Force mTLS placeholder to be selectable (do not inject API key fallback).
+            protocols.append(MutualTlsPlaceholderProtocol())
+        else:
+            # Default: API key (from env) plus mTLS placeholder as fallback.
+            api_key = os.getenv("MCP_API_KEY", "demo-api-key-12345")
+            protocols.append(ApiKeyProtocol(api_key=api_key))
+            protocols.append(MutualTlsPlaceholderProtocol())
 
         try:
             # Create http_client first, then pass it to auth provider

examples/clients/simple-auth-multiprotocol-client/run_dpop_test.sh

@@ -115,15 +115,27 @@ echo "Running Automated DPoP Tests"
 echo "============================================================"
 echo ""
 
-# Test B2: API Key Authentication
-echo "[Test B2] API Key Authentication (DPoP should not affect)"
+# Test B2: API Key Authentication (curl)
+echo "[Test B2] API Key Authentication via curl (DPoP should not affect)"
 STATUS=$(curl -s -o /dev/null -w "%{http_code}" -X POST "$MCP_ENDPOINT" \
   -H "Content-Type: application/json" \
   -H "Accept: application/json, text/event-stream" \
   -H "X-API-Key: $API_KEY" \
   -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"dpop-test","version":"1.0"}}}')
 run_test "API Key auth works with DPoP enabled" "200" "$STATUS"
 
+# Test B3: API Key Authentication via MultiProtocolAuth client
+echo "[Test B3] API Key Authentication via MultiProtocolAuth client"
+cd "$MULTIPROTOCOL_CLIENT"
+if printf "list\ncall get_time {}\nquit\n" | MCP_SERVER_URL="$MCP_ENDPOINT" MCP_API_KEY="$API_KEY" MCP_AUTH_PROTOCOL="api_key" uv run mcp-simple-auth-multiprotocol-client >/dev/null 2>&1; then
+  echo "  PASS: simple-auth-multiprotocol-client (API Key via MultiProtocolAuth)"
+  PASSED=$((PASSED + 1))
+else
+  echo "  FAIL: simple-auth-multiprotocol-client (API Key via MultiProtocolAuth)"
+  FAILED=$((FAILED + 1))
+fi
+cd "$REPO_ROOT"
+
 # Test: No Authentication
 echo "[Test] No Authentication (expect 401)"
 STATUS=$(curl -s -o /dev/null -w "%{http_code}" -X POST "$MCP_ENDPOINT" \

examples/clients/simple-auth-multiprotocol-client/run_multiprotocol_test.sh

@@ -1,26 +1,28 @@
 #!/usr/bin/env bash
-# Multi-protocol integration test: start simple-auth-multiprotocol RS (and optionally AS for OAuth), 
-# then run client with API Key, OAuth, or Mutual TLS (placeholder).
-# This test is for testing multi-protocol support with API Key, OAuth, or Mutual TLS.
+# Multi-protocol integration test (MultiProtocolAuthProvider):
+# start simple-auth-multiprotocol RS (and optionally AS for OAuth),
+# then run simple-auth-multiprotocol-client with API Key, OAuth, OAuth+DPoP, or Mutual TLS (placeholder).
 # Usage: in the repo root, run: ./examples/clients/simple-auth-multiprotocol-client/run_multiprotocol_test.sh
-# Env: MCP_PHASE2_PROTOCOL=api_key (default) | oauth | mutual_tls (client will show "not implemented" for mTLS).
-# For api_key/mutual_tls: simple-auth-multiprotocol-client; for oauth: simple-auth-client (complete OAuth in browser).
-# You must run at mcp> prompt: list, call get_time {}, quit.
+# Env: MCP_AUTH_PROTOCOL=api_key (default) | oauth | oauth_dpop | mutual_tls
+# For api_key/mutual_tls: script runs non-interactive commands (list/call/quit) and asserts PASS/FAIL.
+# For oauth/oauth_dpop: complete OAuth in browser, then run: list, call get_time {}, quit.
+# Optional: MCP_SKIP_OAUTH=1 to skip oauth/oauth_dpop manual cases.
 
 set -e
 
 REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../../.." && pwd)"
 SIMPLE_AUTH_SERVER="${REPO_ROOT}/examples/servers/simple-auth"
 MULTIPROTOCOL_SERVER="${REPO_ROOT}/examples/servers/simple-auth-multiprotocol"
 MULTIPROTOCOL_CLIENT="${REPO_ROOT}/examples/clients/simple-auth-multiprotocol-client"
-SIMPLE_AUTH_CLIENT="${REPO_ROOT}/examples/clients/simple-auth-client"
 RS_PORT="${MCP_RS_PORT:-8002}"
 AS_PORT="${MCP_AS_PORT:-9000}"
-PROTOCOL="${MCP_PHASE2_PROTOCOL:-api_key}"
+PROTOCOL="${MCP_AUTH_PROTOCOL:-api_key}"
+SKIP_OAUTH="${MCP_SKIP_OAUTH:-0}"
 
 cd "$REPO_ROOT"
 echo "Repo root: $REPO_ROOT"
 echo "Protocol: $PROTOCOL"
+echo "Skip OAuth: $SKIP_OAUTH"
 
 uv sync --quiet 2>/dev/null || true
 
@@ -49,7 +51,7 @@ cleanup() {
 trap cleanup EXIT
 
 # Start Authorization Server only for OAuth
-if [ "$PROTOCOL" = "oauth" ]; then
+if [ "$PROTOCOL" = "oauth" ] || [ "$PROTOCOL" = "oauth_dpop" ]; then
   cd "$SIMPLE_AUTH_SERVER"
   uv run mcp-simple-auth-as --port="$AS_PORT" &
   AS_PID=$!
@@ -61,6 +63,8 @@ fi
 cd "$MULTIPROTOCOL_SERVER"
 if [ "$PROTOCOL" = "oauth" ]; then
   uv run mcp-simple-auth-multiprotocol-rs --port="$RS_PORT" --auth-server="http://localhost:${AS_PORT}" --api-keys="demo-api-key-12345" &
+elif [ "$PROTOCOL" = "oauth_dpop" ]; then
+  uv run mcp-simple-auth-multiprotocol-rs --port="$RS_PORT" --auth-server="http://localhost:${AS_PORT}" --api-keys="demo-api-key-12345" --dpop-enabled &
 else
   uv run mcp-simple-auth-multiprotocol-rs --port="$RS_PORT" --api-keys="demo-api-key-12345" &
 fi
@@ -76,20 +80,47 @@ echo ""
 echo ""
 
 # Run client by protocol
-if [ "$PROTOCOL" = "oauth" ]; then
-  echo "Starting simple-auth-client (OAuth). Complete OAuth in the browser, then run: list, call get_time {}, quit"
+if [ "$PROTOCOL" = "oauth" ] || [ "$PROTOCOL" = "oauth_dpop" ]; then
+  if [ "$SKIP_OAUTH" = "1" ]; then
+    echo "Skipping OAuth manual test (MCP_SKIP_OAUTH=1)"
+    exit 0
+  fi
+  echo "Starting simple-auth-multiprotocol-client (OAuth). Complete OAuth in the browser, then run: list, call get_time {}, quit"
   echo ""
-  cd "$SIMPLE_AUTH_CLIENT"
-  MCP_SERVER_PORT="$RS_PORT" MCP_TRANSPORT_TYPE=streamable-http uv run mcp-simple-auth-client
+  cd "$MULTIPROTOCOL_CLIENT"
+  MCP_SERVER_URL="http://localhost:${RS_PORT}/mcp" \
+  MCP_USE_OAUTH=1 \
+  MCP_DPOP_ENABLED=$([ "$PROTOCOL" = "oauth_dpop" ] && echo 1 || echo 0) \
+  MCP_AUTH_PROTOCOL="$PROTOCOL" \
+  uv run mcp-simple-auth-multiprotocol-client
 elif [ "$PROTOCOL" = "mutual_tls" ]; then
-  echo "Starting simple-auth-multiprotocol-client (mTLS placeholder). At mcp> run: list, call get_time {}, quit"
+  echo "Running mTLS placeholder selection (expect not implemented)"
   echo ""
   cd "$MULTIPROTOCOL_CLIENT"
-  unset MCP_API_KEY
-  MCP_SERVER_URL="http://localhost:${RS_PORT}/mcp" uv run mcp-simple-auth-multiprotocol-client
+  set +e
+  OUT=$(MCP_SERVER_URL="http://localhost:${RS_PORT}/mcp" MCP_AUTH_PROTOCOL="mutual_tls" uv run mcp-simple-auth-multiprotocol-client 2>&1)
+  CODE=$?
+  set -e
+  echo "$OUT" | head -60
+  if echo "$OUT" | grep -q "Mutual TLS not implemented"; then
+    echo "PASS: mutual_tls placeholder reported not implemented"
+    exit 0
+  fi
+  echo "FAIL: mutual_tls placeholder did not report expected error (exit=$CODE)"
+  exit 1
 else
-  echo "Starting simple-auth-multiprotocol-client (API Key). At mcp> run: list, call get_time {}, quit"
+  echo "Running API Key flow (non-interactive): list, call get_time {}, quit"
   echo ""
   cd "$MULTIPROTOCOL_CLIENT"
-  MCP_SERVER_URL="http://localhost:${RS_PORT}/mcp" MCP_API_KEY="demo-api-key-12345" uv run mcp-simple-auth-multiprotocol-client
+  set +e
+  OUT=$(printf "list\ncall get_time {}\nquit\n" | MCP_SERVER_URL="http://localhost:${RS_PORT}/mcp" MCP_API_KEY="demo-api-key-12345" MCP_AUTH_PROTOCOL="api_key" uv run mcp-simple-auth-multiprotocol-client 2>&1)
+  CODE=$?
+  set -e
+  echo "$OUT" | head -80
+  if [ "$CODE" -eq 0 ] && echo "$OUT" | grep -q "Session initialized" && ! echo "$OUT" | grep -q "Session terminated"; then
+    echo "PASS: api_key flow succeeded"
+    exit 0
+  fi
+  echo "FAIL: api_key flow failed (exit=$CODE)"
+  exit 1
 fi