Adding Client Credentials & Token Exchange Grant Types to Auth

README.md

@@ -814,7 +814,11 @@ async def main():
 The SDK includes [authorization support](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization) for connecting to protected MCP servers:
 
 ```python
-from mcp.client.auth import OAuthClientProvider, TokenStorage
+from mcp.client.auth import (
+    OAuthClientProvider,
+    TokenExchangeProvider,
+    TokenStorage,
+)
 from mcp.client.session import ClientSession
 from mcp.client.streamable_http import streamablehttp_client
 from mcp.shared.auth import OAuthClientInformationFull, OAuthClientMetadata, OAuthToken
@@ -851,6 +855,24 @@ async def main():
         callback_handler=lambda: ("auth_code", None),
     )
 
+    # For machine-to-machine scenarios, use ClientCredentialsProvider
+    # instead of OAuthClientProvider.
+
+    # If you already have a user token from another provider, you can
+    # exchange it for an MCP token using the token_exchange grant
+    # implemented by TokenExchangeProvider.
+    token_exchange_auth = TokenExchangeProvider(
+        server_url="https://api.example.com",
+        client_metadata=OAuthClientMetadata(
+            client_name="My Client",
+            redirect_uris=["http://localhost:3000/callback"],
+            grant_types=["client_credentials", "token_exchange"],
+            response_types=["code"],
+        ),
+        storage=CustomTokenStorage(),
+        subject_token_supplier=lambda: "user_token",
+    )
+
     # Use with streamable HTTP client
     async with streamablehttp_client(
         "https://api.example.com/mcp", auth=oauth_auth

docs/api.md

@@ -1 +1,5 @@
+The Python SDK exposes the entire `mcp` package for use in your own projects.
+It includes an OAuth server implementation with support for the RFC 8693
+`token_exchange` grant type.
+
 ::: mcp

docs/index.md

@@ -3,3 +3,7 @@
 This is the MCP Server implementation in Python.
 
 It only contains the [API Reference](api.md) for the time being.
+
+The built-in OAuth server supports the RFC 8693 `token_exchange` grant type,
+allowing clients to exchange user tokens from external providers for MCP
+access tokens.

examples/servers/simple-auth/mcp_simple_auth/server.py

@@ -238,6 +238,36 @@ async def exchange_refresh_token(
         """Exchange refresh token"""
         raise NotImplementedError("Not supported")
 
+    async def exchange_token(
+        self,
+        client: OAuthClientInformationFull,
+        subject_token: str,
+        subject_token_type: str,
+        actor_token: str | None,
+        actor_token_type: str | None,
+        scope: list[str] | None,
+        audience: str | None,
+        resource: str | None,
+    ) -> OAuthToken:
+        """Exchange an external token for an MCP access token."""
+        raise NotImplementedError("Token exchange is not supported")
+
+    async def exchange_client_credentials(self, client: OAuthClientInformationFull, scopes: list[str]) -> OAuthToken:
+        """Exchange client credentials for an access token."""
+        token = f"mcp_{secrets.token_hex(32)}"
+        self.tokens[token] = AccessToken(
+            token=token,
+            client_id=client.client_id,
+            scopes=scopes,
+            expires_at=int(time.time()) + 3600,
+        )
+        return OAuthToken(
+            access_token=token,
+            token_type="Bearer",
+            expires_in=3600,
+            scope=" ".join(scopes),
+        )
+
     async def revoke_token(self, token: str, token_type_hint: str | None = None) -> None:
         """Revoke a token."""
         if token in self.tokens: