feat: expose token_endpoint_auth_method in gateway admin UI

Add a dropdown to the gateway add and edit forms allowing admins to
select between client_secret_post (default) and client_secret_basic
for the OAuth2 token endpoint authentication method (RFC 6749 Section
2.3).

Some OAuth providers (e.g. Freshworks/Freshservice) require
client_secret_basic (HTTP Basic Auth header) rather than the default
client_secret_post (credentials in POST body). Without this UI field,
reconfiguring a gateway through the admin panel silently drops the
token_endpoint_auth_method setting, causing token exchange failures.

Changes:
- admin.py: Read oauth_token_endpoint_auth_method from form data in
  both admin_add_gateway and admin_edit_gateway
- admin.html: Add select dropdown in both add and edit gateway forms
- admin.js: Populate the dropdown with existing value when editing

Fixes #3991

Signed-off-by: Olivier Gintrand <olivier.gintrand@forterro.com>

Author: Olivier Gintrand

mcpgateway/admin.py

@@ -11930,6 +11930,11 @@ async def admin_add_gateway(request: Request, db: Session = Depends(get_db), use
                     if scopes:
                         oauth_config["scopes"] = scopes
 
+                # Token endpoint auth method (RFC 6749 Section 2.3)
+                oauth_token_endpoint_auth_method = str(form.get("oauth_token_endpoint_auth_method", ""))
+                if oauth_token_endpoint_auth_method:
+                    oauth_config["token_endpoint_auth_method"] = oauth_token_endpoint_auth_method
+
                 LOGGER.info(f"✅ Assembled OAuth config from UI form fields: grant_type={oauth_grant_type}, issuer={oauth_issuer}")
                 LOGGER.info(f"DEBUG: Complete oauth_config = {oauth_config}")
 
@@ -12202,6 +12207,11 @@ async def admin_edit_gateway(
                     if scopes:
                         oauth_config["scopes"] = scopes
 
+                # Token endpoint auth method (RFC 6749 Section 2.3)
+                oauth_token_endpoint_auth_method = str(form.get("oauth_token_endpoint_auth_method", ""))
+                if oauth_token_endpoint_auth_method:
+                    oauth_config["token_endpoint_auth_method"] = oauth_token_endpoint_auth_method
+
                 LOGGER.info(f"✅ Assembled OAuth config from UI form fields (edit): grant_type={oauth_grant_type}, issuer={oauth_issuer}")
 
         user_email = get_user_email(user)

mcpgateway/static/admin.js

@@ -6306,6 +6306,9 @@ async function editGateway(gatewayId) {
         );
         const oauthIssuerField = safeGetElement("oauth-issuer-gw-edit");
         const oauthScopesField = safeGetElement("oauth-scopes-gw-edit");
+        const oauthTokenEndpointAuthMethodField = safeGetElement(
+            "oauth-token-endpoint-auth-method-gw-edit",
+        );
         const oauthAuthCodeFields = safeGetElement(
             "oauth-auth-code-fields-gw-edit",
         );
@@ -6436,6 +6439,13 @@ async function editGateway(gatewayId) {
                             ? config.scopes.join(" ")
                             : "";
                     }
+                    if (
+                        oauthTokenEndpointAuthMethodField &&
+                        config.token_endpoint_auth_method
+                    ) {
+                        oauthTokenEndpointAuthMethodField.value =
+                            config.token_endpoint_auth_method;
+                    }
                 }
                 break;
             case "query_param":

mcpgateway/templates/admin.html

@@ -5983,6 +5983,25 @@ <h3 class="text-lg font-bold mb-4 dark:text-gray-200">
                       read:user")
                     </p>
                   </div>
+
+                  <div>
+                    <label
+                      class="block text-sm font-medium text-gray-700 dark:text-gray-300"
+                    >
+                      Token Endpoint Auth Method
+                    </label>
+                    <select
+                      name="oauth_token_endpoint_auth_method"
+                      id="oauth-token-endpoint-auth-method-gw"
+                      class="mt-1 px-1.5 block w-full rounded-md border border-gray-300 dark:border-gray-700 shadow-sm focus:border-indigo-500 focus:ring-indigo-500 dark:bg-gray-900 dark:text-gray-300"
+                    >
+                      <option value="client_secret_post">client_secret_post (credentials in POST body)</option>
+                      <option value="client_secret_basic">client_secret_basic (HTTP Basic Auth header)</option>
+                    </select>
+                    <p class="mt-1 text-sm text-gray-500">
+                      How client credentials are sent to the token endpoint (RFC 6749 Section 2.3)
+                    </p>
+                  </div>
                 </div>
               </div>
 
@@ -10255,6 +10274,25 @@ <h3 class="text-lg font-medium text-gray-900 dark:text-gray-100">
                               read:user")
                             </p>
                           </div>
+
+                          <div>
+                            <label
+                              class="block text-sm font-medium text-gray-700 dark:text-gray-300"
+                            >
+                              Token Endpoint Auth Method
+                            </label>
+                            <select
+                              name="oauth_token_endpoint_auth_method"
+                              id="oauth-token-endpoint-auth-method-gw-edit"
+                              class="mt-1 px-1.5 block w-full rounded-md border border-gray-300 shadow-sm focus:border-indigo-500 focus:ring-indigo-500 dark:bg-gray-900 dark:text-gray-300"
+                            >
+                              <option value="client_secret_post">client_secret_post (credentials in POST body)</option>
+                              <option value="client_secret_basic">client_secret_basic (HTTP Basic Auth header)</option>
+                            </select>
+                            <p class="mt-1 text-sm text-gray-500">
+                              How client credentials are sent to the token endpoint (RFC 6749 Section 2.3)
+                            </p>
+                          </div>
                         </div>
                       </div>
                     </div>