Clean up provider interface

src/mcp/server/auth/handlers/authorize.py

@@ -36,9 +36,9 @@ class AuthorizationRequest(BaseModel):
 
     response_type: Literal["code"] = Field(..., description="Must be 'code' for authorization code flow")
     code_challenge: str = Field(..., description="PKCE code challenge")
-    code_challenge_method: Literal["S256"] = Field("S256", description="PKCE code challenge method")
+    code_challenge_method: Literal["S256"] = Field("S256", description="PKCE code challenge method, must be S256")
     state: Optional[str] = Field(None, description="Optional state parameter")
-    scope: Optional[str] = Field(None, description="Optional scope parameter")
+    scope: Optional[str] = Field(None, description="Optional scope; if specified, should be a space-separated list of scope strings")
 
     class Config:
         extra = "ignore"
@@ -113,12 +113,21 @@ async def authorization_handler(request: Request) -> Response:
             code_challenge=auth_request.code_challenge,
             redirect_uri=redirect_uri,
         )
-
-        response = RedirectResponse(url="", status_code=302, headers={"Cache-Control": "no-store"})
 
         try:
             # Let the provider handle the authorization flow
-            await provider.authorize(client, auth_params, response)
+            authorization_code = await provider.create_authorization_code(client, auth_params)
+            response = RedirectResponse(url="", status_code=302, headers={"Cache-Control": "no-store"})
+
+            # Redirect with code
+            parsed_uri = urlparse(str(auth_params.redirect_uri))
+            query_params = [(k, v) for k, vs in parse_qs(parsed_uri.query) for v in vs]
+            query_params.append(("code", authorization_code))
+            if auth_params.state:
+                query_params.append(("state", auth_params.state))
+
+            redirect_url = urlunparse(parsed_uri._replace(query=urlencode(query_params)))
+            response.headers["location"] = redirect_url
 
             return response
         except Exception as e:

src/mcp/server/auth/handlers/token.py

@@ -88,6 +88,10 @@ async def token_handler(request: Request):
 
         match token_request:
             case AuthorizationCodeRequest():
+                # TODO: verify that the redirect URIs match; does the client actually provide this?
+                # see https://datatracker.ietf.org/doc/html/rfc6749#section-10.6
+                # TODO: enforce TTL on the authorization code
+
                 # Verify PKCE code verifier
                 expected_challenge = await provider.challenge_for_authorization_code(
                     client_info, token_request.code

src/mcp/server/auth/provider.py

@@ -72,19 +72,15 @@ def clients_store(self) -> OAuthRegisteredClientsStore:
         """
         ...
 
-    # TODO: do we really want to be putting the response in this method?
-    async def authorize(self, 
+    async def create_authorization_code(self, 
                        client: OAuthClientInformationFull, 
-                       params: AuthorizationParams, 
-                       response: Response) -> None:
+                       params: AuthorizationParams) -> str:
         """
-        Begins the authorization flow, which can be implemented by this server or via redirection.
-        Must eventually issue a redirect with authorization response or error to the given redirect URI.
-
-        Args:
-            client: The client requesting authorization.
-            params: Parameters for the authorization request.
-            response: The response object to write to.
+        Generates and stores an authorization code as part of completing the /authorize OAuth step.
+
+        Implementations SHOULD generate an authorization code with at least 160 bits of entropy,
+        and MUST generate an authorization code with at least 128 bits of entropy.
+        See https://datatracker.ietf.org/doc/html/rfc6749#section-10.10.
         """
         ...
 

tests/server/fastmcp/auth/test_auth_integration.py

@@ -64,10 +64,9 @@ def __init__(self):
     def clients_store(self) -> OAuthRegisteredClientsStore:
         return self.client_store
 
-    async def authorize(self, 
+    async def create_authorization_code(self, 
                      client: OAuthClientInformationFull, 
-                     params: AuthorizationParams, 
-                     response: Response):
+                     params: AuthorizationParams) -> str:
         # Generate an authorization code
         code = f"code_{int(time.time())}"
 
@@ -78,14 +77,9 @@ async def authorize(self,
             "redirect_uri": params.redirect_uri,
             "expires_at": int(time.time()) + 600,  # 10 minutes
         }
-
-        # Redirect with code
-        query = {"code": code}
-        if params.state:
-            query["state"] = params.state
-
-        redirect_url = f"{params.redirect_uri}?" + "&".join([f"{k}={v}" for k, v in query.items()])
-        response.headers["location"] = redirect_url
+
+        return code
+
 
     async def challenge_for_authorization_code(self, 
                                        client: OAuthClientInformationFull,