feat: add LenientOidcDiscoveryMetadataPolicy for IdPs without code_challenge_methods_supported

simonchrz · simonchrz · commit 443af5c307f7 · 2026-03-23T10:02:13.000+01:00
Some identity providers (e.g. FusionAuth, Microsoft Entra ID) omit
code_challenge_methods_supported from their OIDC discovery response
despite supporting PKCE with S256. This policy relaxes the validation
to only require authorization_endpoint, token_endpoint, and jwks_uri.
diff --git a/src/Server/Transport/Http/OAuth/LenientOidcDiscoveryMetadataPolicy.php b/src/Server/Transport/Http/OAuth/LenientOidcDiscoveryMetadataPolicy.php
@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * This file is part of the official PHP MCP SDK.
+ *
+ * A collaboration between Symfony and the PHP Foundation.
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Mcp\Server\Transport\Http\OAuth;
+
+/**
+ * Lenient metadata policy for identity providers that do not yet include
+ * code_challenge_methods_supported in their OIDC discovery response.
+ *
+ * While the MCP specification requires authorization servers to advertise
+ * code_challenge_methods_supported, some providers (e.g. FusionAuth,
+ * Microsoft Entra ID) omit this field despite supporting PKCE with S256.
+ *
+ * Use this policy as a pragmatic workaround until those providers update
+ * their discovery metadata.
+ */
+final class LenientOidcDiscoveryMetadataPolicy implements OidcDiscoveryMetadataPolicyInterface
+{
+    public function isValid(mixed $metadata): bool
+    {
+        return \is_array($metadata)
+            && isset($metadata['authorization_endpoint'], $metadata['token_endpoint'], $metadata['jwks_uri'])
+            && \is_string($metadata['authorization_endpoint'])
+            && '' !== trim($metadata['authorization_endpoint'])
+            && \is_string($metadata['token_endpoint'])
+            && '' !== trim($metadata['token_endpoint'])
+            && \is_string($metadata['jwks_uri'])
+            && '' !== trim($metadata['jwks_uri']);
+    }
+}
diff --git a/tests/Unit/Server/Transport/Http/OAuth/LenientOidcDiscoveryMetadataPolicyTest.php b/tests/Unit/Server/Transport/Http/OAuth/LenientOidcDiscoveryMetadataPolicyTest.php
@@ -0,0 +1,98 @@
+<?php
+
+/*
+ * This file is part of the official PHP MCP SDK.
+ *
+ * A collaboration between Symfony and the PHP Foundation.
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Mcp\Tests\Unit\Server\Transport\Http\OAuth;
+
+use Mcp\Server\Transport\Http\OAuth\LenientOidcDiscoveryMetadataPolicy;
+use PHPUnit\Framework\Attributes\DataProvider;
+use PHPUnit\Framework\Attributes\TestDox;
+use PHPUnit\Framework\TestCase;
+
+class LenientOidcDiscoveryMetadataPolicyTest extends TestCase
+{
+    #[DataProvider('provideValidMetadata')]
+    #[TestDox('valid metadata: $description')]
+    public function testValidMetadata(mixed $metadata, string $description): void
+    {
+        $policy = new LenientOidcDiscoveryMetadataPolicy();
+
+        $this->assertTrue($policy->isValid($metadata));
+    }
+
+    /**
+     * @return iterable<string, array{mixed, string}>
+     */
+    public static function provideValidMetadata(): iterable
+    {
+        $base = [
+            'authorization_endpoint' => 'https://auth.example.com/authorize',
+            'token_endpoint' => 'https://auth.example.com/token',
+            'jwks_uri' => 'https://auth.example.com/jwks',
+        ];
+
+        yield 'without code_challenge_methods_supported' => [$base, 'without code_challenge_methods_supported'];
+
+        yield 'with code_challenge_methods_supported' => [
+            $base + ['code_challenge_methods_supported' => ['S256']],
+            'with code_challenge_methods_supported',
+        ];
+    }
+
+    #[DataProvider('provideInvalidMetadata')]
+    #[TestDox('invalid metadata: $description')]
+    public function testInvalidMetadata(mixed $metadata, string $description): void
+    {
+        $policy = new LenientOidcDiscoveryMetadataPolicy();
+
+        $this->assertFalse($policy->isValid($metadata));
+    }
+
+    /**
+     * @return iterable<string, array{mixed, string}>
+     */
+    public static function provideInvalidMetadata(): iterable
+    {
+        yield 'missing authorization_endpoint' => [
+            [
+                'token_endpoint' => 'https://auth.example.com/token',
+                'jwks_uri' => 'https://auth.example.com/jwks',
+            ],
+            'missing authorization_endpoint',
+        ];
+
+        yield 'missing token_endpoint' => [
+            [
+                'authorization_endpoint' => 'https://auth.example.com/authorize',
+                'jwks_uri' => 'https://auth.example.com/jwks',
+            ],
+            'missing token_endpoint',
+        ];
+
+        yield 'missing jwks_uri' => [
+            [
+                'authorization_endpoint' => 'https://auth.example.com/authorize',
+                'token_endpoint' => 'https://auth.example.com/token',
+            ],
+            'missing jwks_uri',
+        ];
+
+        yield 'empty endpoint string' => [
+            [
+                'authorization_endpoint' => '',
+                'token_endpoint' => 'https://auth.example.com/token',
+                'jwks_uri' => 'https://auth.example.com/jwks',
+            ],
+            'empty endpoint string',
+        ];
+
+        yield 'non-array metadata' => ['not an array', 'non-array metadata'];
+    }
+}
