feat(oauth): support client_secret_basic token endpoint auth method (RFC 6749)

Olivier Gintrand · Olivier Gintrand · commit 793068800687 · 2026-04-14T17:33:19.000+02:00
Signed-off-by: Olivier Gintrand &lt;olivier.gintrand@forterro.com&gt;
diff --git a/.env.example b/.env.example
@@ -2136,6 +2136,11 @@ OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317
 # TOOL_CONCURRENT_LIMIT=10
 # GATEWAY_TOOL_NAME_SEPARATOR=-
 
+# Maximum length of response text returned for non-JSON REST API responses
+# Longer responses are truncated to prevent exposing excessive sensitive data
+# Default: 5000 characters, Range: 1000-100000
+# REST_RESPONSE_TEXT_MAX_LENGTH=5000
+
 # Prompt Configuration
 # PROMPT_CACHE_SIZE=100
 # MAX_PROMPT_SIZE=102400
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline|package-lock.json|Cargo.lock|scripts/sign_image.sh|scripts/zap|sonar-project.properties|uv.lock|go.sum|mcpgateway/sri_hashes.json|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2026-04-14T13:09:46Z",
+  "generated_at": "2026-04-14T14:08:10Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -4830,7 +4830,7 @@
         "hashed_secret": "ff37a98a9963d347e9749a5c1b3936a4a245a6ff",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 2228,
+        "line_number": 2236,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -8624,39 +8624,39 @@
         "hashed_secret": "ee977806d7286510da8b9a7492ba58e2484c0ecc",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 6376,
+        "line_number": 6907,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "f2e7745f43b0ef0e2c2faf61d6c6a28be2965750",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 6868,
+        "line_number": 7399,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "4a249743d4d2241bd2ae085b4fe654d089488295",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 8215,
+        "line_number": 8746,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "0c8d051d3c7eada5d31b53d9936fce6bcc232ae2",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 8357,
+        "line_number": 8888,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "f2b14f68eb995facb3a1c35287b778d5bd785511",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 8733,
+        "line_number": 9264,
         "type": "Secret Keyword",
         "verified_result": null
       }
diff --git a/mcpgateway/admin.py b/mcpgateway/admin.py
@@ -12139,6 +12139,11 @@ async def admin_add_gateway(request: Request, db: Session = Depends(get_db), use
                     if scopes:
                         oauth_config["scopes"] = scopes
 
+                # Token endpoint auth method (RFC 6749 Section 2.3)
+                oauth_token_endpoint_auth_method = str(form.get("oauth_token_endpoint_auth_method", ""))
+                if oauth_token_endpoint_auth_method:
+                    oauth_config["token_endpoint_auth_method"] = oauth_token_endpoint_auth_method
+
                 LOGGER.info(f"✅ Assembled OAuth config from UI form fields: grant_type={oauth_grant_type}, issuer={oauth_issuer}")
                 LOGGER.info(f"DEBUG: Complete oauth_config = {oauth_config}")
 
@@ -12411,6 +12416,11 @@ async def admin_edit_gateway(
                     if scopes:
                         oauth_config["scopes"] = scopes
 
+                # Token endpoint auth method (RFC 6749 Section 2.3)
+                oauth_token_endpoint_auth_method = str(form.get("oauth_token_endpoint_auth_method", ""))
+                if oauth_token_endpoint_auth_method:
+                    oauth_config["token_endpoint_auth_method"] = oauth_token_endpoint_auth_method
+
                 LOGGER.info(f"✅ Assembled OAuth config from UI form fields (edit): grant_type={oauth_grant_type}, issuer={oauth_issuer}")
 
         user_email = get_user_email(user)
diff --git a/mcpgateway/admin_ui/gateways.js b/mcpgateway/admin_ui/gateways.js
@@ -400,6 +400,9 @@ export const editGateway = async function (gatewayId) {
     const oauthRedirectUriField = safeGetElement("oauth-redirect-uri-gw-edit");
     const oauthIssuerField = safeGetElement("oauth-issuer-gw-edit");
     const oauthScopesField = safeGetElement("oauth-scopes-gw-edit");
+    const oauthTokenEndpointAuthMethodField = safeGetElement(
+      "oauth-token-endpoint-auth-method-gw-edit"
+    );
     const oauthAuthCodeFields = safeGetElement(
       "oauth-auth-code-fields-gw-edit"
     );
@@ -526,6 +529,13 @@ export const editGateway = async function (gatewayId) {
               ? config.scopes.join(" ")
               : "";
           }
+          if (
+            oauthTokenEndpointAuthMethodField &&
+            config.token_endpoint_auth_method
+          ) {
+            oauthTokenEndpointAuthMethodField.value =
+              config.token_endpoint_auth_method;
+          }
         }
         break;
       case "query_param":
diff --git a/mcpgateway/services/oauth_manager.py b/mcpgateway/services/oauth_manager.py
@@ -1194,17 +1194,31 @@ async def _exchange_code_for_tokens(self, credentials: Dict[str, Any], code: str
         token_url = runtime_credentials["token_url"]
         redirect_uri = runtime_credentials["redirect_uri"]
 
+        # Determine token endpoint authentication method (RFC 6749 Section 2.3)
+        # - "client_secret_post" (default): client_id and client_secret in POST body
+        # - "client_secret_basic": credentials in Authorization: Basic header
+        token_auth_method = credentials.get("token_endpoint_auth_method", "client_secret_post")
+        use_basic_auth = token_auth_method == "client_secret_basic" and client_secret
+
+        # Build HTTP Basic Auth header if required by the provider
+        auth_header = None
+        if use_basic_auth:
+            basic_credentials = base64.b64encode(f"{client_id}:{client_secret}".encode()).decode()
+            auth_header = {"Authorization": f"Basic {basic_credentials}"}
+
         # Prepare token exchange data
         token_data = {
             "grant_type": "authorization_code",
             "code": code,
             "redirect_uri": redirect_uri,
-            "client_id": client_id,
         }
 
-        # Only include client_secret if present (public clients don't have secrets)
-        if client_secret:
-            token_data["client_secret"] = client_secret
+        # Include client credentials in POST body only when not using Basic auth
+        if not use_basic_auth:
+            token_data["client_id"] = client_id
+            # Only include client_secret if present (public clients don't have secrets)
+            if client_secret:
+                token_data["client_secret"] = client_secret
 
         # Add PKCE code_verifier if present (RFC 7636)
         if code_verifier:
@@ -1229,7 +1243,7 @@ async def _exchange_code_for_tokens(self, credentials: Dict[str, Any], code: str
         for attempt in range(self.max_retries):
             try:
                 client = await self._get_client()
-                response = await client.post(token_url, data=token_data, timeout=self.request_timeout)
+                response = await client.post(token_url, data=token_data, headers=auth_header, timeout=self.request_timeout)
                 response.raise_for_status()
 
                 # GitHub returns form-encoded responses, not JSON
@@ -1294,16 +1308,28 @@ async def refresh_token(self, refresh_token: str, credentials: Dict[str, Any]) -
         if not client_id:
             raise OAuthError("No client_id configured for OAuth provider")
 
+        # Determine token endpoint authentication method (RFC 6749 Section 2.3)
+        token_auth_method = credentials.get("token_endpoint_auth_method", "client_secret_post")
+        use_basic_auth = token_auth_method == "client_secret_basic" and client_secret
+
+        # Build HTTP Basic Auth header if required by the provider
+        auth_header = None
+        if use_basic_auth:
+            basic_credentials = base64.b64encode(f"{client_id}:{client_secret}".encode()).decode()
+            auth_header = {"Authorization": f"Basic {basic_credentials}"}
+
         # Prepare token refresh request
         token_data = {
             "grant_type": "refresh_token",
             "refresh_token": refresh_token,
-            "client_id": client_id,
         }
 
-        # Add client_secret if available (some providers require it)
-        if client_secret:
-            token_data["client_secret"] = client_secret
+        # Include client credentials in POST body only when not using Basic auth
+        if not use_basic_auth:
+            token_data["client_id"] = client_id
+            # Add client_secret if available (some providers require it)
+            if client_secret:
+                token_data["client_secret"] = client_secret
 
         # Add resource parameter for JWT access token (RFC 8707)
         # Must be included in refresh requests to maintain JWT token type
@@ -1324,7 +1350,7 @@ async def refresh_token(self, refresh_token: str, credentials: Dict[str, Any]) -
         for attempt in range(self.max_retries):
             try:
                 client = await self._get_client()
-                response = await client.post(token_url, data=token_data, timeout=self.request_timeout)
+                response = await client.post(token_url, data=token_data, headers=auth_header, timeout=self.request_timeout)
                 if response.status_code == 200:
                     token_response = response.json()
 
diff --git a/mcpgateway/templates/admin.html b/mcpgateway/templates/admin.html
@@ -293,7 +293,7 @@
     ></script>
     {% else %}
     <script
-      src="https://cdn.jsdelivr.net/npm/alpinejs@3.15.11/dist/cdn.min.js"
+      src="https://cdn.jsdelivr.net/npm/alpinejs@3.15.8/dist/cdn.min.js"
       integrity="{{ sri_hashes.alpinejs }}"
       crossorigin="anonymous"
       defer
@@ -322,7 +322,7 @@
       crossorigin="anonymous">
     </script>
     <script
-      src="https://cdn.jsdelivr.net/npm/dompurify@3.4.0/dist/purify.min.js"
+      src="https://cdn.jsdelivr.net/npm/dompurify@3.3.2/dist/purify.min.js"
       integrity="{{ sri_hashes.dompurify }}"
       crossorigin="anonymous">
     </script>
@@ -5965,6 +5965,25 @@ <h3 class="text-lg font-bold mb-4 dark:text-gray-200">
                       read:user")
                     </p>
                   </div>
+
+                  <div>
+                    <label
+                      class="block text-sm font-medium text-gray-700 dark:text-gray-300"
+                    >
+                      Token Endpoint Auth Method
+                    </label>
+                    <select
+                      name="oauth_token_endpoint_auth_method"
+                      id="oauth-token-endpoint-auth-method-gw"
+                      class="mt-1 px-1.5 block w-full rounded-md border border-gray-300 dark:border-gray-700 shadow-sm focus:border-indigo-500 focus:ring-indigo-500 dark:bg-gray-900 dark:text-gray-300"
+                    >
+                      <option value="client_secret_post">client_secret_post (credentials in POST body)</option>
+                      <option value="client_secret_basic">client_secret_basic (HTTP Basic Auth header)</option>
+                    </select>
+                    <p class="mt-1 text-sm text-gray-500">
+                      How client credentials are sent to the token endpoint (RFC 6749 Section 2.3)
+                    </p>
+                  </div>
                 </div>
               </div>
 
@@ -10274,6 +10293,25 @@ <h3 class="text-lg font-medium text-gray-900 dark:text-gray-100">
                               read:user")
                             </p>
                           </div>
+
+                          <div>
+                            <label
+                              class="block text-sm font-medium text-gray-700 dark:text-gray-300"
+                            >
+                              Token Endpoint Auth Method
+                            </label>
+                            <select
+                              name="oauth_token_endpoint_auth_method"
+                              id="oauth-token-endpoint-auth-method-gw-edit"
+                              class="mt-1 px-1.5 block w-full rounded-md border border-gray-300 shadow-sm focus:border-indigo-500 focus:ring-indigo-500 dark:bg-gray-900 dark:text-gray-300"
+                            >
+                              <option value="client_secret_post">client_secret_post (credentials in POST body)</option>
+                              <option value="client_secret_basic">client_secret_basic (HTTP Basic Auth header)</option>
+                            </select>
+                            <p class="mt-1 text-sm text-gray-500">
+                              How client credentials are sent to the token endpoint (RFC 6749 Section 2.3)
+                            </p>
+                          </div>
                         </div>
                       </div>
                     </div>
