fix: pass conformance auth scenarios, add RFC 8707 resource validation

[felixweinberger]

Summary

Fixes the broken conformance CI that is blocking all PRs with client-conformance failures.

Motivation and Context

The conformance test suite was broken after @modelcontextprotocol/conformance@0.1.13 introduced new auth scenarios requiring:

1. Pre-registered client credentials from MCP_CONFORMANCE_CONTEXT
2. RFC 8707 resource validation (PRM resource must match server URL)

This was causing the client-conformance check to fail on nearly all open PRs (the tools_call scenario returns 403 Forbidden). Builds on the work from #1999.

How Has This Been Tested?

• All 1135 tests pass locally
• Full code coverage at 100% (0 branch partials)
• Pyright type checking passes with 0 errors
• Ruff formatting and linting pass

Breaking Changes

No breaking changes. The new validate_resource_url parameter on OAuthClientProvider is optional.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

Changes across 4 files:

src/mcp/client/auth/oauth2.py: Adds _validate_resource_match() method that validates PRM resource matches the server URL per RFC 8707 before proceeding with the OAuth flow. Adds optional validate_resource_url callback parameter for custom validation logic.

.github/actions/conformance/client.py: Pre-loads client credentials from MCP_CONFORMANCE_CONTEXT into token storage when available, allowing the existing auth flow to skip DCR when pre-registered credentials are present.

.github/workflows/conformance.yml: Bumps conformance package from 0.1.10 to 0.1.13.

tests/client/test_auth.py: Adds TestResourceValidation test class with 6 tests covering resource validation (mismatched resources, matching resources, custom callbacks, trailing slash normalization, fallback behavior). Updates existing test resource URLs to match server URLs.

[claude]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

[felixweinberger]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

You're wrong @claude - the CLAUDE.md literally says not to use Test Classes but this PR has them.

[claude]

Claude finished @felixweinberger's task in 46s —— View job

---

Code Review - CLAUDE.md Violations Found

You're absolutely right - I apologize for the incorrect review. This PR does violate CLAUDE.md guidelines.

Issues Found

tests/client/test_auth.py:822-951 - Uses Test classes which violates CLAUDE.md:

• TestResourceValidation class (lines 822-951)
• TestRegistrationResponse class (line 953+)

The CLAUDE.md explicitly states:

"Do not use Test prefixed classes, use functions"

And:

"The tests/client/test_client.py is the most well designed test file. Follow its patterns."

Looking at test_client.py, all tests are written as standalone functions like async def test_client_is_initialized(), not as methods inside Test classes.

Additional Issue

tests/client/test_auth.py:890 - The review comment from @Kludex suggests using snapshots instead of manual assertions, which would align better with the patterns in test_client.py (which uses inline_snapshot).

Recommendation

The tests need to be refactored:

1. Convert TestResourceValidation methods to standalone test functions
2. Convert TestRegistrationResponse methods to standalone test functions
3. Consider using inline_snapshot for assertions where appropriate

Would you like me to refactor these test classes into functions following the test_client.py patterns? Fix this →

---

|

[Kludex]

same comment as before: why wouldn't want to see the exception?