refactor(auth): address code review feedback for enterprise managed auth

Addresses code review comments for SEP-990 enterprise auth implementation:

1. Removed non-existing scenarios from client.py.
2. Removed run-enterprise-auth-conformance.sh script.
3. Remove redundant CI job, use conformance v0.1.14 with --suite all
4. Document specific use cases for manual token exchange flow
5. Added client_credentials support to the __init__.py
6. Rename TokenExchangeResponse to IDJAGTokenExchangeResponse for clarity
7. Fix IdP credential usage - separate idp_client_id/secret from MCP credentials
8. Add parameter discovery example demonstrating OAuth metadata discovery

Author: BinoyOza-okta

.github/actions/conformance/client.py

@@ -18,8 +18,6 @@
     auth/client-credentials-basic           - Client credentials with client_secret_basic
     auth/cross-app-access-complete-flow     - Enterprise managed OAuth (SEP-990) - v0.1.14+
     auth/enterprise-token-exchange          - Enterprise auth with OIDC ID token (legacy name)
-    auth/enterprise-saml-exchange           - Enterprise auth with SAML assertion (legacy name)
-    auth/enterprise-id-jag-validation       - Validate ID-JAG token structure (legacy name)
     auth/*                                  - Authorization code flow (default for auth scenarios)
 
 Enterprise Auth (SEP-990):
@@ -415,177 +413,6 @@ async def run_cross_app_access_complete_flow(server_url: str) -> None:
     await _run_auth_session(server_url, enterprise_auth)
 
 
-@register("auth/enterprise-token-exchange")
-async def run_enterprise_token_exchange(server_url: str) -> None:
-    """Enterprise managed auth: Token exchange flow (RFC 8693) with OIDC ID token."""
-    from mcp.client.auth.extensions.enterprise_managed_auth import (
-        EnterpriseAuthOAuthClientProvider,
-        TokenExchangeParameters,
-    )
-
-    context = get_conformance_context()
-    id_token = context.get("id_token")
-    idp_token_endpoint = context.get("idp_token_endpoint")
-    mcp_server_auth_issuer = context.get("mcp_server_auth_issuer")
-    mcp_server_resource_id = context.get("mcp_server_resource_id")
-    scope = context.get("scope")
-
-    if not id_token:
-        raise RuntimeError("MCP_CONFORMANCE_CONTEXT missing 'id_token'")
-    if not idp_token_endpoint:
-        raise RuntimeError("MCP_CONFORMANCE_CONTEXT missing 'idp_token_endpoint'")
-    if not mcp_server_auth_issuer:
-        raise RuntimeError("MCP_CONFORMANCE_CONTEXT missing 'mcp_server_auth_issuer'")
-    if not mcp_server_resource_id:
-        raise RuntimeError("MCP_CONFORMANCE_CONTEXT missing 'mcp_server_resource_id'")
-
-    # Create token exchange parameters
-    token_exchange_params = TokenExchangeParameters.from_id_token(
-        id_token=id_token,
-        mcp_server_auth_issuer=mcp_server_auth_issuer,
-        mcp_server_resource_id=mcp_server_resource_id,
-        scope=scope,
-    )
-
-    # Create enterprise auth provider
-    enterprise_auth = EnterpriseAuthOAuthClientProvider(
-        server_url=server_url,
-        client_metadata=OAuthClientMetadata(
-            client_name="conformance-enterprise-client",
-            redirect_uris=[AnyUrl("http://localhost:3000/callback")],
-            grant_types=["urn:ietf:params:oauth:grant-type:jwt-bearer"],
-            response_types=["token"],
-        ),
-        storage=InMemoryTokenStorage(),
-        idp_token_endpoint=idp_token_endpoint,
-        token_exchange_params=token_exchange_params,
-    )
-
-    await _run_auth_session(server_url, enterprise_auth)
-
-
-@register("auth/enterprise-saml-exchange")
-async def run_enterprise_saml_exchange(server_url: str) -> None:
-    """Enterprise managed auth: SAML assertion exchange flow (RFC 8693)."""
-    from mcp.client.auth.extensions.enterprise_managed_auth import (
-        EnterpriseAuthOAuthClientProvider,
-        TokenExchangeParameters,
-    )
-
-    context = get_conformance_context()
-    saml_assertion = context.get("saml_assertion")
-    idp_token_endpoint = context.get("idp_token_endpoint")
-    mcp_server_auth_issuer = context.get("mcp_server_auth_issuer")
-    mcp_server_resource_id = context.get("mcp_server_resource_id")
-    scope = context.get("scope")
-
-    if not saml_assertion:
-        raise RuntimeError("MCP_CONFORMANCE_CONTEXT missing 'saml_assertion'")
-    if not idp_token_endpoint:
-        raise RuntimeError("MCP_CONFORMANCE_CONTEXT missing 'idp_token_endpoint'")
-    if not mcp_server_auth_issuer:
-        raise RuntimeError("MCP_CONFORMANCE_CONTEXT missing 'mcp_server_auth_issuer'")
-    if not mcp_server_resource_id:
-        raise RuntimeError("MCP_CONFORMANCE_CONTEXT missing 'mcp_server_resource_id'")
-
-    # Create token exchange parameters for SAML
-    token_exchange_params = TokenExchangeParameters.from_saml_assertion(
-        saml_assertion=saml_assertion,
-        mcp_server_auth_issuer=mcp_server_auth_issuer,
-        mcp_server_resource_id=mcp_server_resource_id,
-        scope=scope,
-    )
-
-    # Create enterprise auth provider
-    enterprise_auth = EnterpriseAuthOAuthClientProvider(
-        server_url=server_url,
-        client_metadata=OAuthClientMetadata(
-            client_name="conformance-enterprise-saml-client",
-            redirect_uris=[AnyUrl("http://localhost:3000/callback")],
-            grant_types=["urn:ietf:params:oauth:grant-type:jwt-bearer"],
-            response_types=["token"],
-        ),
-        storage=InMemoryTokenStorage(),
-        idp_token_endpoint=idp_token_endpoint,
-        token_exchange_params=token_exchange_params,
-    )
-
-    await _run_auth_session(server_url, enterprise_auth)
-
-
-@register("auth/enterprise-id-jag-validation")
-async def run_id_jag_validation(server_url: str) -> None:
-    """Validate ID-JAG token structure and claims (SEP-990)."""
-    from mcp.client.auth.extensions.enterprise_managed_auth import (
-        EnterpriseAuthOAuthClientProvider,
-        TokenExchangeParameters,
-        decode_id_jag,
-        validate_token_exchange_params,
-    )
-
-    context = get_conformance_context()
-    id_token = context.get("id_token")
-    idp_token_endpoint = context.get("idp_token_endpoint")
-    mcp_server_auth_issuer = context.get("mcp_server_auth_issuer")
-    mcp_server_resource_id = context.get("mcp_server_resource_id")
-
-    if not all([id_token, idp_token_endpoint, mcp_server_auth_issuer, mcp_server_resource_id]):
-        raise RuntimeError("Missing required context parameters for ID-JAG validation")
-
-    # Create and validate token exchange parameters
-    token_exchange_params = TokenExchangeParameters.from_id_token(
-        id_token=id_token,
-        mcp_server_auth_issuer=mcp_server_auth_issuer,
-        mcp_server_resource_id=mcp_server_resource_id,
-    )
-
-    logger.debug("Validating token exchange parameters")
-    validate_token_exchange_params(token_exchange_params)
-    logger.debug("Token exchange parameters validated successfully")
-
-    # Create enterprise auth provider
-    enterprise_auth = EnterpriseAuthOAuthClientProvider(
-        server_url=server_url,
-        client_metadata=OAuthClientMetadata(
-            client_name="conformance-validation-client",
-            redirect_uris=[AnyUrl("http://localhost:3000/callback")],
-            grant_types=["urn:ietf:params:oauth:grant-type:jwt-bearer"],
-            response_types=["token"],
-        ),
-        storage=InMemoryTokenStorage(),
-        idp_token_endpoint=idp_token_endpoint,
-        token_exchange_params=token_exchange_params,
-    )
-
-    async with httpx.AsyncClient() as client:
-        # Get ID-JAG
-        id_jag = await enterprise_auth.exchange_token_for_id_jag(client)
-        logger.debug(f"Obtained ID-JAG for validation: {id_jag[:50]}...")
-
-        # Decode and validate ID-JAG claims
-        logger.debug("Decoding ID-JAG token")
-        claims = decode_id_jag(id_jag)
-
-        # Validate required claims
-        assert claims.typ == "oauth-id-jag+jwt", f"Invalid typ: {claims.typ}"
-        assert claims.jti, "Missing jti claim"
-        assert claims.iss, "Missing iss claim"
-        assert claims.sub, "Missing sub claim"
-        assert claims.aud, "Missing aud claim"
-        assert claims.resource == mcp_server_resource_id, f"Invalid resource: {claims.resource}"
-        assert claims.client_id, "Missing client_id claim"
-        assert claims.exp > claims.iat, "Invalid expiration"
-
-        logger.debug("ID-JAG validated successfully:")
-        logger.debug(f"  Subject: {claims.sub}")
-        logger.debug(f"  Issuer: {claims.iss}")
-        logger.debug(f"  Audience: {claims.aud}")
-        logger.debug(f"  Resource: {claims.resource}")
-        logger.debug(f"  Client ID: {claims.client_id}")
-
-    logger.debug("ID-JAG validation completed successfully")
-
-
 async def _run_auth_session(server_url: str, oauth_auth: OAuthClientProvider) -> None:
     """Common session logic for all OAuth flows."""
     client = httpx.AsyncClient(auth=oauth_auth, timeout=30.0)

.github/actions/conformance/run-enterprise-auth-conformance.sh

@@ -30,21 +30,6 @@ jobs:
       - run: ./.github/actions/conformance/run-server.sh
 
   client-conformance:
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
-      - uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
-        with:
-          enable-cache: true
-          version: 0.9.5
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
-        with:
-          node-version: 24
-      - run: uv sync --frozen --all-extras --package mcp
-      - run: npx @modelcontextprotocol/conformance@0.1.13 client --command 'uv run --frozen python .github/actions/conformance/client.py' --suite all
-
-  enterprise-auth-conformance:
     runs-on: ubuntu-latest
     continue-on-error: true
     steps:
@@ -57,4 +42,4 @@ jobs:
         with:
           node-version: 24
       - run: uv sync --frozen --all-extras --package mcp
-      - run: npx @modelcontextprotocol/conformance@0.1.14 client --command 'uv run --frozen python .github/actions/conformance/client.py' --scenario auth/cross-app-access-complete-flow
+      - run: npx @modelcontextprotocol/conformance@0.1.14 client --command 'uv run --frozen python .github/actions/conformance/client.py' --suite all