feat: check for CIMD of authorization server metadata

Author: tnorimat

src/checks/checks.test.ts

@@ -15,7 +15,7 @@ describe('createClientInitializationCheck', () => {
     expect(check.errorMessage).toBeUndefined();
   });
 
-  it('should return FAILURE when protocol version is missing', () => {
+  it('should return WARNING when protocol version is missing', () => {
     const invalidRequest = {
       clientInfo: {
         name: 'TestClient',
@@ -24,11 +24,11 @@ describe('createClientInitializationCheck', () => {
     };
 
     const check = createClientInitializationCheck(invalidRequest);
-    expect(check.status).toBe('FAILURE');
+    expect(check.status).toBe('WARNING');
     expect(check.errorMessage).toContain('Protocol version not provided');
   });
 
-  it('should return FAILURE when protocol version does not match', () => {
+  it('should return WARNING when protocol version does not match', () => {
     const invalidRequest = {
       protocolVersion: '2024-11-05',
       clientInfo: {
@@ -38,11 +38,11 @@ describe('createClientInitializationCheck', () => {
     };
 
     const check = createClientInitializationCheck(invalidRequest);
-    expect(check.status).toBe('FAILURE');
+    expect(check.status).toBe('WARNING');
     expect(check.errorMessage).toContain('Version mismatch');
   });
 
-  it('should return FAILURE when client name is missing', () => {
+  it('should return WARNING when client name is missing', () => {
     const invalidRequest = {
       protocolVersion: '2025-06-18',
       clientInfo: {
@@ -51,11 +51,11 @@ describe('createClientInitializationCheck', () => {
     };
 
     const check = createClientInitializationCheck(invalidRequest);
-    expect(check.status).toBe('FAILURE');
+    expect(check.status).toBe('WARNING');
     expect(check.errorMessage).toContain('Client name missing');
   });
 
-  it('should return FAILURE when client version is missing', () => {
+  it('should return WARNING when client version is missing', () => {
     const invalidRequest = {
       protocolVersion: '2025-06-18',
       clientInfo: {
@@ -64,7 +64,7 @@ describe('createClientInitializationCheck', () => {
     };
 
     const check = createClientInitializationCheck(invalidRequest);
-    expect(check.status).toBe('FAILURE');
+    expect(check.status).toBe('WARNING');
     expect(check.errorMessage).toContain('Client version missing');
   });
 

src/checks/client.ts

@@ -48,7 +48,7 @@ export function createClientInitializationCheck(
   if (!initializeRequest?.clientInfo?.version)
     errors.push('Client version missing');
 
-  const status: CheckStatus = errors.length === 0 ? 'SUCCESS' : 'FAILURE';
+  const status: CheckStatus = errors.length === 0 ? 'SUCCESS' : 'WARNING';
 
   return {
     id: 'mcp-client-initialization',

src/index.ts

@@ -495,7 +495,8 @@ program
           const result = await runAuthorizationServerConformanceTest(
             validated.url,
             scenarioName,
-            outputDir
+            outputDir,
+            specVersionFilter
           );
           allResults.push({ scenario: scenarioName, checks: result.checks });
         } catch (error) {

src/runner/authorization-server.ts

@@ -1,13 +1,14 @@
 import { promises as fs } from 'fs';
 import path from 'path';
-import { ConformanceCheck } from '../types';
+import { ConformanceCheck, SpecVersion } from '../types';
 import { getClientScenarioForAuthorizationServer } from '../scenarios';
 import { createResultDir } from './utils';
 
 export async function runAuthorizationServerConformanceTest(
   serverUrl: string,
   scenarioName: string,
-  outputDir?: string
+  outputDir?: string,
+  specVersion?: SpecVersion
 ): Promise<{
   checks: ConformanceCheck[];
   resultDir?: string;
@@ -31,7 +32,7 @@ export async function runAuthorizationServerConformanceTest(
     `Running client scenario for authorization server '${scenarioName}' against server: ${serverUrl}`
   );
 
-  const checks = await scenario.run(serverUrl);
+  const checks = await scenario.run(serverUrl, specVersion);
 
   if (resultDir) {
     await fs.writeFile(

src/scenarios/authorization-server/authorization-server-metadata.test.ts

@@ -88,4 +88,84 @@ describe('AuthorizationServerMetadataEndpointScenario', () => {
     expect(check.status).toBe('FAILURE');
     expect(check.errorMessage).toContain('code_challenge_methods_supported');
   });
+
+  it('returns SUCCESS for CIMD check when server metadata includes client_id_metadata_document_supported=true with spec version 2025-11-25', async () => {
+    const scenario = new AuthorizationServerMetadataEndpointScenario();
+    mockMetadataResponse({
+      ...validMetadata,
+      client_id_metadata_document_supported: true
+    });
+
+    const checks = await scenario.run(SERVER_URL, '2025-11-25');
+
+    expect(checks).toHaveLength(2);
+
+    const metadataCheck = checks[0];
+    expect(metadataCheck.status).toBe('SUCCESS');
+
+    const cimdCheck = checks[1];
+    expect(cimdCheck.id).toBe('authorization-server-metadata-cimd');
+    expect(cimdCheck.status).toBe('SUCCESS');
+    expect(cimdCheck.errorMessage).toBeUndefined();
+    expect(cimdCheck.details).toEqual({
+      client_id_metadata_document_supported: true
+    });
+  });
+
+  it('returns FAILURE for CIMD check when server metadata lacks client_id_metadata_document_supported with spec version 2025-11-25', async () => {
+    const scenario = new AuthorizationServerMetadataEndpointScenario();
+    mockMetadataResponse(validMetadata);
+
+    const checks = await scenario.run(SERVER_URL, '2025-11-25');
+
+    expect(checks).toHaveLength(2);
+
+    const metadataCheck = checks[0];
+    expect(metadataCheck.status).toBe('SUCCESS');
+
+    const cimdCheck = checks[1];
+    expect(cimdCheck.id).toBe('authorization-server-metadata-cimd');
+    expect(cimdCheck.status).toBe('FAILURE');
+    expect(cimdCheck.errorMessage).toContain(
+      'client_id_metadata_document_supported'
+    );
+  });
+
+  it('returns FAILURE for CIMD check when client_id_metadata_document_supported is false with spec version 2025-11-25', async () => {
+    const scenario = new AuthorizationServerMetadataEndpointScenario();
+    mockMetadataResponse({
+      ...validMetadata,
+      client_id_metadata_document_supported: false
+    });
+
+    const checks = await scenario.run(SERVER_URL, '2025-11-25');
+
+    expect(checks).toHaveLength(2);
+
+    const metadataCheck = checks[0];
+    expect(metadataCheck.status).toBe('SUCCESS');
+
+    const cimdCheck = checks[1];
+    expect(cimdCheck.id).toBe('authorization-server-metadata-cimd');
+    expect(cimdCheck.status).toBe('FAILURE');
+    expect(cimdCheck.errorMessage).toContain(
+      'client_id_metadata_document_supported'
+    );
+    expect(cimdCheck.errorMessage).toContain('false');
+  });
+
+  it('does not add CIMD check when spec version is 2025-06-18 even if claim is false', async () => {
+    const scenario = new AuthorizationServerMetadataEndpointScenario();
+    mockMetadataResponse({
+      ...validMetadata,
+      client_id_metadata_document_supported: false
+    });
+
+    const checks = await scenario.run(SERVER_URL, '2025-06-18');
+
+    expect(checks).toHaveLength(1);
+
+    const metadataCheck = checks[0];
+    expect(metadataCheck.status).toBe('SUCCESS');
+  });
 });

src/scenarios/authorization-server/authorization-server-metadata.ts

@@ -25,11 +25,15 @@ export class AuthorizationServerMetadataEndpointScenario implements ClientScenar
 - Return a JSON response including issuer, authorization_endpoint, token_endpoint and response_types_supported
 - The issuer value MUST match the URI obtained by removing the well-known URI string from the authorization server metadata URI.`;
 
-  async run(serverUrl: string): Promise<ConformanceCheck[]> {
+  async run(
+    serverUrl: string,
+    specVersion?: SpecVersion
+  ): Promise<ConformanceCheck[]> {
     let status: Status = 'SUCCESS';
     let errorMessage: string | undefined;
     let details: any;
     let response: any | null = null;
+    let body: Record<string, any> | undefined;
     try {
       const wellKnownUrls = this.createWellKnownUrl(serverUrl);
 
@@ -53,7 +57,7 @@ export class AuthorizationServerMetadataEndpointScenario implements ClientScenar
 
       this.validateContentType(response.headers['content-type']);
 
-      const body = await this.parseJson(response);
+      body = await this.parseJson(response);
       const errors: string[] = [];
       this.validateMetadataBody(body, serverUrl, errors);
 
@@ -71,7 +75,7 @@ export class AuthorizationServerMetadataEndpointScenario implements ClientScenar
       errorMessage = error instanceof Error ? error.message : String(error);
     }
 
-    return [
+    const checks: ConformanceCheck[] = [
       {
         id: 'authorization-server-metadata',
         name: 'AuthorizationServerMetadata',
@@ -88,6 +92,38 @@ export class AuthorizationServerMetadataEndpointScenario implements ClientScenar
         ...(details ? { details } : {})
       }
     ];
+
+    if (specVersion === '2025-11-25' && body) {
+      const cimdSupported = body.client_id_metadata_document_supported;
+      const cimdStatus: Status = cimdSupported === true ? 'SUCCESS' : 'FAILURE';
+      const cimdErrorMessage =
+        cimdSupported === true
+          ? undefined
+          : cimdSupported === undefined
+            ? 'Authorization server metadata does not include "client_id_metadata_document_supported"'
+            : `Expected "client_id_metadata_document_supported" to be true, got ${JSON.stringify(cimdSupported)}`;
+
+      checks.push({
+        id: 'authorization-server-metadata-cimd',
+        name: 'AuthorizationServerMetadataCIMD',
+        description:
+          'Authorization server metadata includes client_id_metadata_document_supported=true',
+        status: cimdStatus,
+        timestamp: new Date().toISOString(),
+        errorMessage: cimdErrorMessage,
+        specReferences: [
+          {
+            id: 'IETF-OAuth-Client-ID-Metadata-Document',
+            url: 'https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-01.html#name-authorization-server-metada'
+          }
+        ],
+        details: {
+          client_id_metadata_document_supported: cimdSupported
+        }
+      });
+    }
+
+    return checks;
   }
 
   private createWellKnownUrl(serverUrl: string): string[] {

src/types.ts

@@ -65,5 +65,8 @@ export interface ClientScenarioForAuthorizationServer {
   name: string;
   description: string;
   specVersions: SpecVersion[];
-  run(serverUrl: string): Promise<ConformanceCheck[]>;
+  run(
+    serverUrl: string,
+    specVersion?: SpecVersion
+  ): Promise<ConformanceCheck[]>;
 }