Skip to content

feat: add PKCE conformance tests#119

Merged
pcarleton merged 6 commits intomainfrom
pkce-conformance-tests
Jan 23, 2026
Merged

feat: add PKCE conformance tests#119
pcarleton merged 6 commits intomainfrom
pkce-conformance-tests

Conversation

@pcarleton
Copy link
Member

@pcarleton pcarleton commented Jan 23, 2026

Summary

Adds conformance tests for PKCE requirements from the MCP authorization spec (fixes #77).

Changes

New PKCE Checks (added to all auth scenarios via createAuthServer)

Check Slug Description
pkce-code-challenge-sent Verifies client sends code_challenge in authorization request
pkce-s256-method-used Verifies client uses code_challenge_method=S256
pkce-code-verifier-sent Verifies client sends code_verifier in token request
pkce-verifier-matches-challenge Validates BASE64URL(SHA256(code_verifier)) === code_challenge

New Scenario (skipped for now)

  • auth/pkce-no-s256-support - Tests that clients refuse when S256 is not in code_challenge_methods_supported

New Bad Client Example

  • auth-test-no-pkce.ts - A client that skips PKCE entirely (for negative testing)

Testing

All existing auth scenarios now include PKCE validation. The bad client example correctly fails all PKCE checks:

[pkce-code-challenge-sent     ] FAILURE Client MUST send code_challenge in authorization request
[pkce-s256-method-used        ] FAILURE Client MUST use S256 code challenge method when technically capable
[pkce-code-verifier-sent      ] FAILURE Client MUST send code_verifier in token request

@pcarleton
feat: add PKCE conformance tests
0465ffa 
Adds conformance checks for PKCE requirements from the MCP auth spec:

- pkce-code-challenge-sent: Verifies client sends code_challenge in auth request
- pkce-s256-method-used: Verifies client uses S256 code challenge method
- pkce-code-verifier-sent: Verifies client sends code_verifier in token request
- pkce-verifier-matches-challenge: Validates BASE64URL(SHA256(verifier)) = challenge

Also adds auth/pkce-no-s256-support scenario that tests clients correctly
refuse when S256 is not in code_challenge_methods_supported.

All PKCE checks are added to the createAuthServer helper, so they automatically
apply to all existing auth scenarios.

Fixes #77
@pcarleton
feat: add bad client example that skips PKCE
702a927 
Adds auth-test-no-pkce.ts which implements a custom OAuth flow that
deliberately skips PKCE (no code_challenge in auth request, no
code_verifier in token request).

Also adds negative test to verify the conformance suite correctly
detects this non-compliant behavior.
@pcarleton
chore: skip pkce-no-s256-support scenario for now
43f79b4
@pcarleton
chore: fix formatting
0315fd6
@pkg-pr-new
Copy link

pkg-pr-new bot commented Jan 23, 2026
edited
Loading

Open in StackBlitz

npx https://pkg.pr.new/modelcontextprotocol/conformance/@modelcontextprotocol/conformance@119

commit: be90e1c

@pcarleton
refactor: remove pkce-no-s256-support scenario and always validate PKCE
fbd656d 
- Remove pkce-no-s256-support scenario (was skipped anyway)
- Make pkce-verifier-matches-challenge fail if either code_challenge
  or code_verifier is missing, rather than only running when both present
- Update negative test to expect the new failure
@pcarleton pcarleton marked this pull request as ready for review January 23, 2026 12:49
@felixweinberger
Copy link
Contributor

felixweinberger commented Jan 23, 2026

LGTM!

@pcarleton pcarleton merged commit 4a2ba8a into main Jan 23, 2026
8 checks passed
@pcarleton pcarleton deleted the pkce-conformance-tests branch January 23, 2026 18:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@felixweinberger felixweinberger felixweinberger approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add conformance tests for PKCE requirements

2 participants

@pcarleton @felixweinberger