Add auth/cross-app-access-complete-flow to JDK conformance client (SEP-990)

prachi-okta · prachi-okta · commit 20c5628aec55 · 2026-03-18T11:13:55.000+05:30
diff --git a/conformance-tests/client-jdk-http-client/pom.xml b/conformance-tests/client-jdk-http-client/pom.xml
@@ -31,6 +31,13 @@
 			<version>2.0.0-SNAPSHOT</version>
 		</dependency>
 
+		<!-- mcp-core for EnterpriseAuth / EnterpriseAuthProvider (SEP-990) -->
+		<dependency>
+			<groupId>io.modelcontextprotocol.sdk</groupId>
+			<artifactId>mcp-core</artifactId>
+			<version>2.0.0-SNAPSHOT</version>
+		</dependency>
+
 		<!-- Logging -->
 		<dependency>
 			<groupId>ch.qos.logback</groupId>
diff --git a/conformance-tests/client-jdk-http-client/src/main/java/io/modelcontextprotocol/conformance/client/ConformanceJdkClientMcpClient.java b/conformance-tests/client-jdk-http-client/src/main/java/io/modelcontextprotocol/conformance/client/ConformanceJdkClientMcpClient.java
@@ -2,8 +2,15 @@
 
 import java.time.Duration;
 
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import io.modelcontextprotocol.client.McpClient;
 import io.modelcontextprotocol.client.McpSyncClient;
+import io.modelcontextprotocol.client.auth.DiscoverAndRequestJwtAuthGrantOptions;
+import io.modelcontextprotocol.client.auth.EnterpriseAuth;
+import io.modelcontextprotocol.client.auth.EnterpriseAuthProvider;
+import io.modelcontextprotocol.client.auth.EnterpriseAuthProviderOptions;
 import io.modelcontextprotocol.client.transport.HttpClientStreamableHttpTransport;
 import io.modelcontextprotocol.spec.McpSchema;
 
@@ -53,13 +60,17 @@ public static void main(String[] args) {
 				case "sse-retry":
 					runSSERetryScenario(serverUrl);
 					break;
+				case "auth/cross-app-access-complete-flow":
+					runCrossAppAccessCompleteFlowScenario(serverUrl);
+					break;
 				default:
 					System.err.println("Unknown scenario: " + scenario);
 					System.err.println("Available scenarios:");
 					System.err.println("  - initialize");
 					System.err.println("  - tools_call");
 					System.err.println("  - elicitation-sep1034-client-defaults");
 					System.err.println("  - sse-retry");
+					System.err.println("  - auth/cross-app-access-complete-flow");
 					System.exit(1);
 			}
 			System.exit(0);
@@ -283,4 +294,82 @@ private static void runSSERetryScenario(String serverUrl) throws Exception {
 		}
 	}
 
+	/**
+	 * Cross-App Access scenario: Tests SEP-990 Enterprise Managed Authorization flow.
+	 * <p>
+	 * Reads context from {@code MCP_CONFORMANCE_CONTEXT} (JSON) containing:
+	 * {@code client_id}, {@code client_secret}, {@code idp_client_id},
+	 * {@code idp_id_token}, {@code idp_issuer}, {@code idp_token_endpoint}.
+	 * <p>
+	 * Uses {@link EnterpriseAuthProvider} with an assertion callback that performs RFC
+	 * 8693 token exchange at the IdP, then exchanges the ID-JAG for an access token at
+	 * the MCP authorization server via RFC 7523 JWT Bearer grant.
+	 * @param serverUrl the URL of the MCP server
+	 * @throws Exception if any error occurs during execution
+	 */
+	private static void runCrossAppAccessCompleteFlowScenario(String serverUrl) throws Exception {
+		String contextEnv = System.getenv("MCP_CONFORMANCE_CONTEXT");
+		if (contextEnv == null || contextEnv.isEmpty()) {
+			System.err.println("Error: MCP_CONFORMANCE_CONTEXT environment variable is not set");
+			System.exit(1);
+		}
+
+		CrossAppAccessContext ctx = new ObjectMapper().readValue(contextEnv, CrossAppAccessContext.class);
+
+		java.net.http.HttpClient httpClient = java.net.http.HttpClient.newHttpClient();
+
+		EnterpriseAuthProviderOptions options = EnterpriseAuthProviderOptions.builder()
+			.clientId(ctx.clientId())
+			.clientSecret(ctx.clientSecret())
+			.assertionCallback(assertionCtx -> {
+				// RFC 8693 token exchange at the IdP: ID Token → ID-JAG
+				DiscoverAndRequestJwtAuthGrantOptions jagOptions = DiscoverAndRequestJwtAuthGrantOptions
+					.builder()
+					.idpUrl(ctx.idpIssuer())
+					.idpTokenEndpoint(ctx.idpTokenEndpoint())
+					.idToken(ctx.idpIdToken())
+					.clientId(ctx.idpClientId())
+					.audience(assertionCtx.getAuthorizationServerUrl().toString())
+					.resource(assertionCtx.getResourceUrl().toString())
+					.build();
+				return EnterpriseAuth.discoverAndRequestJwtAuthorizationGrant(jagOptions, httpClient);
+			})
+			.build();
+
+		EnterpriseAuthProvider provider = new EnterpriseAuthProvider(options, httpClient);
+
+		HttpClientStreamableHttpTransport transport = HttpClientStreamableHttpTransport.builder(serverUrl)
+			.httpRequestCustomizer(provider)
+			.build();
+
+		McpSyncClient client = McpClient.sync(transport)
+			.clientInfo(new McpSchema.Implementation("test-client", "1.0.0"))
+			.requestTimeout(Duration.ofSeconds(30))
+			.build();
+
+		try {
+			client.initialize();
+			System.out.println("Successfully connected to MCP server");
+
+			client.listTools();
+			System.out.println("Successfully listed tools");
+		}
+		finally {
+			client.close();
+			System.out.println("Connection closed successfully");
+		}
+	}
+
+	/**
+	 * Context provided by the conformance suite for the cross-app-access-complete-flow
+	 * scenario via the {@code MCP_CONFORMANCE_CONTEXT} environment variable.
+	 */
+	@JsonIgnoreProperties(ignoreUnknown = true)
+	private record CrossAppAccessContext(@JsonProperty("client_id") String clientId,
+			@JsonProperty("client_secret") String clientSecret,
+			@JsonProperty("idp_client_id") String idpClientId,
+			@JsonProperty("idp_id_token") String idpIdToken, @JsonProperty("idp_issuer") String idpIssuer,
+			@JsonProperty("idp_token_endpoint") String idpTokenEndpoint) {
+	}
+
 }
