refactor: keep StrictOidcDiscoveryMetadataPolicy strict, add LenientOidcDiscoveryMetadataPolicy

- StrictOidcDiscoveryMetadataPolicy remains RFC-aligned: requires code_challenge_methods_supported
- LenientOidcDiscoveryMetadataPolicy accepts missing code_challenge_methods_supported for
  providers like FusionAuth and Microsoft Entra ID that omit it despite supporting PKCE with S256
- If code_challenge_methods_supported is present, both policies validate it strictly
- Update OidcDiscoveryTest with tests for both policies
- Update Microsoft example README to reference the built-in lenient policy

Author: simonchrz

CHANGELOG.md

@@ -9,7 +9,7 @@ All notable changes to `mcp/sdk` will be documented in this file.
 * Add client component for building MCP clients
 * Add `Builder::setReferenceHandler()` to allow custom `ReferenceHandlerInterface` implementations (e.g. authorization decorators)
 * Add elicitation enum schema types per SEP-1330: `TitledEnumSchemaDefinition`, `MultiSelectEnumSchemaDefinition`, `TitledMultiSelectEnumSchemaDefinition`
-* Add `LenientOidcDiscoveryMetadataPolicy` for identity providers that omit `code_challenge_methods_supported` in OIDC discovery
+* Add `LenientOidcDiscoveryMetadataPolicy` for identity providers that omit `code_challenge_methods_supported` (e.g. FusionAuth, Microsoft Entra ID)
 * Add OAuth 2.0 Dynamic Client Registration middleware (RFC 7591)
 
 0.4.0

examples/server/oauth-microsoft/README.md

@@ -198,8 +198,11 @@ Microsoft's JWKS endpoint is public. Ensure your container can reach:
 
 ### `code_challenge_methods_supported` missing in discovery metadata
 
-This example configures `OidcDiscovery` with `MicrosoftOidcMetadataPolicy`, so this
-field can be missing or malformed and will not fail discovery.
+The default `StrictOidcDiscoveryMetadataPolicy` requires `code_challenge_methods_supported`.
+Microsoft Entra ID omits this field despite supporting PKCE with S256.
+Use the built-in `LenientOidcDiscoveryMetadataPolicy` which accepts missing `code_challenge_methods_supported`
+(defaults to S256 downstream). The `MicrosoftOidcMetadataPolicy` in this example demonstrates
+how to implement a custom policy via `OidcDiscoveryMetadataPolicyInterface`.
 
 ### Graph API errors
 

src/Server/Transport/Http/OAuth/LenientOidcDiscoveryMetadataPolicy.php

@@ -0,0 +1,54 @@
+<?php
+
+/*
+ * This file is part of the official PHP MCP SDK.
+ *
+ * A collaboration between Symfony and the PHP Foundation.
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Mcp\Server\Transport\Http\OAuth;
+
+/**
+ * Lenient metadata policy for identity providers that omit
+ * code_challenge_methods_supported from their OIDC discovery response
+ * despite supporting PKCE (e.g. FusionAuth, Microsoft Entra ID).
+ *
+ * If code_challenge_methods_supported is present, it is still validated.
+ * If absent, the downstream OAuthProxyMiddleware defaults to ['S256'].
+ *
+ * @author Simon Chrzanowski <simon.chrzanowski@quentic.com>
+ */
+final class LenientOidcDiscoveryMetadataPolicy implements OidcDiscoveryMetadataPolicyInterface
+{
+    public function isValid(mixed $metadata): bool
+    {
+        if (!\is_array($metadata)
+            || !isset($metadata['authorization_endpoint'], $metadata['token_endpoint'], $metadata['jwks_uri'])
+            || !\is_string($metadata['authorization_endpoint'])
+            || '' === trim($metadata['authorization_endpoint'])
+            || !\is_string($metadata['token_endpoint'])
+            || '' === trim($metadata['token_endpoint'])
+            || !\is_string($metadata['jwks_uri'])
+            || '' === trim($metadata['jwks_uri'])
+        ) {
+            return false;
+        }
+
+        if (isset($metadata['code_challenge_methods_supported'])) {
+            if (!\is_array($metadata['code_challenge_methods_supported']) || [] === $metadata['code_challenge_methods_supported']) {
+                return false;
+            }
+
+            foreach ($metadata['code_challenge_methods_supported'] as $method) {
+                if (!\is_string($method) || '' === trim($method)) {
+                    return false;
+                }
+            }
+        }
+
+        return true;
+    }
+}

tests/Unit/Server/Transport/Http/OAuth/LenientOidcDiscoveryMetadataPolicyTest.php

@@ -0,0 +1,111 @@
+<?php
+
+/*
+ * This file is part of the official PHP MCP SDK.
+ *
+ * A collaboration between Symfony and the PHP Foundation.
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Mcp\Tests\Unit\Server\Transport\Http\OAuth;
+
+use Mcp\Server\Transport\Http\OAuth\LenientOidcDiscoveryMetadataPolicy;
+use PHPUnit\Framework\Attributes\TestDox;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * Tests LenientOidcDiscoveryMetadataPolicy validation behavior.
+ *
+ * @author Simon Chrzanowski <simon.chrzanowski@quentic.com>
+ */
+class LenientOidcDiscoveryMetadataPolicyTest extends TestCase
+{
+    #[TestDox('metadata without code challenge methods is valid (defaults to S256 downstream)')]
+    public function testMissingCodeChallengeMethodsIsValid(): void
+    {
+        $policy = new LenientOidcDiscoveryMetadataPolicy();
+        $metadata = [
+            'authorization_endpoint' => 'https://auth.example.com/authorize',
+            'token_endpoint' => 'https://auth.example.com/token',
+            'jwks_uri' => 'https://auth.example.com/jwks',
+        ];
+
+        $this->assertTrue($policy->isValid($metadata));
+    }
+
+    #[TestDox('valid code challenge methods list is accepted')]
+    public function testValidCodeChallengeMethodsIsAccepted(): void
+    {
+        $policy = new LenientOidcDiscoveryMetadataPolicy();
+        $metadata = [
+            'authorization_endpoint' => 'https://auth.example.com/authorize',
+            'token_endpoint' => 'https://auth.example.com/token',
+            'jwks_uri' => 'https://auth.example.com/jwks',
+            'code_challenge_methods_supported' => ['S256'],
+        ];
+
+        $this->assertTrue($policy->isValid($metadata));
+    }
+
+    #[TestDox('empty code challenge methods list is invalid')]
+    public function testEmptyCodeChallengeMethodsIsInvalid(): void
+    {
+        $policy = new LenientOidcDiscoveryMetadataPolicy();
+        $metadata = [
+            'authorization_endpoint' => 'https://auth.example.com/authorize',
+            'token_endpoint' => 'https://auth.example.com/token',
+            'jwks_uri' => 'https://auth.example.com/jwks',
+            'code_challenge_methods_supported' => [],
+        ];
+
+        $this->assertFalse($policy->isValid($metadata));
+    }
+
+    #[TestDox('non string code challenge method is invalid')]
+    public function testNonStringCodeChallengeMethodIsInvalid(): void
+    {
+        $policy = new LenientOidcDiscoveryMetadataPolicy();
+        $metadata = [
+            'authorization_endpoint' => 'https://auth.example.com/authorize',
+            'token_endpoint' => 'https://auth.example.com/token',
+            'jwks_uri' => 'https://auth.example.com/jwks',
+            'code_challenge_methods_supported' => ['S256', 123],
+        ];
+
+        $this->assertFalse($policy->isValid($metadata));
+    }
+
+    #[TestDox('missing required fields is invalid')]
+    public function testMissingRequiredFieldsIsInvalid(): void
+    {
+        $policy = new LenientOidcDiscoveryMetadataPolicy();
+
+        $this->assertFalse($policy->isValid([
+            'authorization_endpoint' => 'https://auth.example.com/authorize',
+            'token_endpoint' => 'https://auth.example.com/token',
+            // missing jwks_uri
+        ]));
+    }
+
+    #[TestDox('empty string endpoint is invalid')]
+    public function testEmptyStringEndpointIsInvalid(): void
+    {
+        $policy = new LenientOidcDiscoveryMetadataPolicy();
+
+        $this->assertFalse($policy->isValid([
+            'authorization_endpoint' => '',
+            'token_endpoint' => 'https://auth.example.com/token',
+            'jwks_uri' => 'https://auth.example.com/jwks',
+        ]));
+    }
+
+    #[TestDox('non-array input is invalid')]
+    public function testNonArrayInputIsInvalid(): void
+    {
+        $policy = new LenientOidcDiscoveryMetadataPolicy();
+
+        $this->assertFalse($policy->isValid('not an array'));
+    }
+}

tests/Unit/Server/Transport/Http/OAuth/OidcDiscoveryTest.php

@@ -12,6 +12,7 @@
 namespace Mcp\Tests\Unit\Server\Transport\Http\OAuth;
 
 use Mcp\Exception\RuntimeException;
+use Mcp\Server\Transport\Http\OAuth\LenientOidcDiscoveryMetadataPolicy;
 use Mcp\Server\Transport\Http\OAuth\OidcDiscovery;
 use Nyholm\Psr7\Factory\Psr17Factory;
 use PHPUnit\Framework\Attributes\TestDox;
@@ -51,7 +52,7 @@ public function testDiscoverRejectsMetadataWithoutCodeChallengeMethodsSupported(
 
         $factory = new Psr17Factory();
         $issuer = 'https://auth.example.com';
-        $metadataWithoutCodeChallengeMethods = [
+        $metadata = [
             'issuer' => $issuer,
             'authorization_endpoint' => 'https://auth.example.com/oauth2/v2.0/authorize',
             'token_endpoint' => 'https://auth.example.com/oauth2/v2.0/token',
@@ -62,7 +63,7 @@ public function testDiscoverRejectsMetadataWithoutCodeChallengeMethodsSupported(
         $httpClient->expects($this->exactly(2))
             ->method('sendRequest')
             ->willReturn($factory->createResponse(200)->withBody(
-                $factory->createStream(json_encode($metadataWithoutCodeChallengeMethods, \JSON_THROW_ON_ERROR)),
+                $factory->createStream(json_encode($metadata, \JSON_THROW_ON_ERROR)),
             ));
 
         $discovery = new OidcDiscovery(
@@ -75,6 +76,39 @@ public function testDiscoverRejectsMetadataWithoutCodeChallengeMethodsSupported(
         $discovery->discover($issuer);
     }
 
+    #[TestDox('lenient discovery accepts metadata without code challenge methods')]
+    public function testDiscoverAcceptsMetadataWithoutCodeChallengeMethodsUsingLenientPolicy(): void
+    {
+        $this->skipIfPsrHttpClientIsMissing();
+
+        $factory = new Psr17Factory();
+        $issuer = 'https://auth.example.com';
+        $metadata = [
+            'issuer' => $issuer,
+            'authorization_endpoint' => 'https://auth.example.com/oauth2/v2.0/authorize',
+            'token_endpoint' => 'https://auth.example.com/oauth2/v2.0/token',
+            'jwks_uri' => 'https://auth.example.com/discovery/v2.0/keys',
+        ];
+
+        $httpClient = $this->createMock(ClientInterface::class);
+        $httpClient->expects($this->once())
+            ->method('sendRequest')
+            ->willReturn($factory->createResponse(200)->withBody(
+                $factory->createStream(json_encode($metadata, \JSON_THROW_ON_ERROR)),
+            ));
+
+        $discovery = new OidcDiscovery(
+            httpClient: $httpClient,
+            requestFactory: $factory,
+            metadataPolicy: new LenientOidcDiscoveryMetadataPolicy(),
+        );
+
+        $result = $discovery->discover($issuer);
+
+        $this->assertSame($metadata['authorization_endpoint'], $result['authorization_endpoint']);
+        $this->assertArrayNotHasKey('code_challenge_methods_supported', $result);
+    }
+
     #[TestDox('discover falls back to the next metadata URL when first response is invalid')]
     public function testDiscoverFallsBackOnInvalidMetadataResponse(): void
     {