Skip to content

feat: add conformance tests for iss parameter (SEP-2468)#220

Open
max-stytch wants to merge 2 commits into
modelcontextprotocol:mainfrom
max-stytch:feat/iss-parameter-conformance
Open

feat: add conformance tests for iss parameter (SEP-2468)#220
max-stytch wants to merge 2 commits into
modelcontextprotocol:mainfrom
max-stytch:feat/iss-parameter-conformance

Conversation

@max-stytch
Copy link
Copy Markdown

@max-stytch max-stytch commented Apr 9, 2026

Motivation and Context

Adds 5 draft conformance scenarios testing RFC 9207 issuer parameter validation in OAuth authorization responses:

  • auth/iss-supported: server advertises support and sends correct iss
  • auth/iss-not-advertised: server omits iss parameter entirely
  • auth/iss-supported-missing: client must reject missing iss when required
  • auth/iss-wrong-issuer: client must reject mismatched iss value
  • auth/iss-unexpected: client must reject iss when not advertised

Also adds auth-test-iss-validation.ts, a reference client that correctly validates iss per RFC 9207, and negative tests confirming the standard client fails all three rejection scenarios.

TODO: Update RFC_9207_ISS_PARAMETER spec reference once SEP-2468 (modelcontextprotocol/modelcontextprotocol#2468) is merged.

How Has This Been Tested?

CI/CD

Breaking Changes

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

@max-stytch
feat: add conformance tests for iss parameter (SEP-2468)
df54a14 
Adds 5 draft conformance scenarios testing RFC 9207 issuer parameter
validation in OAuth authorization responses:

- auth/iss-supported: server advertises support and sends correct iss
- auth/iss-not-advertised: server omits iss parameter entirely
- auth/iss-supported-missing: client must reject missing iss when required
- auth/iss-wrong-issuer: client must reject mismatched iss value
- auth/iss-unexpected: client must reject iss when not advertised

Also adds auth-test-iss-validation.ts, a reference client that correctly
validates iss per RFC 9207, and negative tests confirming the standard
client fails all three rejection scenarios.

TODO: Update RFC_9207_ISS_PARAMETER spec reference once SEP-2468
(modelcontextprotocol/modelcontextprotocol#2468) is merged.
@max-stytch
update scenarios
b91850f
@max-stytch
Copy link
Copy Markdown
Author

max-stytch commented Apr 9, 2026

Conformance tests were ran against modelcontextprotocol/go-sdk#859 locally for verification purposes:

./scripts/client-conformance.sh --conformance_repo /Users/mgerber/stytch/conformance --suite draft

=== SUITE SUMMARY ===

✓ auth/resource-mismatch: 3 passed, 0 failed
✗ auth/offline-access-scope: 0 passed, 1 failed
✗ auth/offline-access-not-supported: 0 passed, 1 failed
✓ auth/iss-supported: 15 passed, 0 failed
✓ auth/iss-not-advertised: 15 passed, 0 failed
✓ auth/iss-supported-missing: 7 passed, 0 failed
✓ auth/iss-wrong-issuer: 7 passed, 0 failed
✓ auth/iss-unexpected: 7 passed, 0 failed

Total: 54 passed, 2 failed, 0 warnings

max-stytch
max-stytch commented Apr 9, 2026
View reviewed changes
Comment thread src/scenarios/client/auth/issuer-parameter.ts
* includes the correct iss value in the authorization redirect. A conformant
* client should validate iss and proceed normally.
*/
export class IssParameterSupportedScenario implements Scenario {
Copy link
Copy Markdown
Author

@max-stytch max-stytch Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to have one scenario with many checks, but it looks like the pattern is one scenario -> one auth server, and we need a separate AS for each check :/

max-stytch
max-stytch commented Apr 9, 2026
View reviewed changes
Comment thread examples/clients/typescript/auth-test-iss-validation.ts
#!/usr/bin/env node

/**
* Well-behaved client that validates the iss parameter in authorization responses.
Copy link
Copy Markdown
Author

@max-stytch max-stytch Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would have loved to add this behavior to the base ConformanceOAuthProvider, but it looks like that provider doesn't have access to the AS Metadata currently, so it is not possible for us to do the checks there. runCrossAppAccessCompleteFlow similarly needs to fetch the metadata itself.

Defer to maintainers on how best to incorporate this code.

@pcarleton pcarleton mentioned this pull request May 15, 2026
Open
@pcarleton
Copy link
Copy Markdown
Member

pcarleton commented May 15, 2026

Thanks for this — I've opened max-stytch#1 stacked on top of this branch with review fixes (one commit per finding, take or leave each). Coverage table and the rebase-onto-main note are in that PR's body.

Re auth-test-iss-validation.ts: don't sweat it — we're moving the example clients out of this repo soon, so it'll get reworked regardless.

@pcarleton pcarleton mentioned this pull request May 15, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@max-stytch @pcarleton