Fix OAuth flow on connecting remote MCP Server

[yoskeoka]

Issue

Cursor creates a dynamic client with "token_endpoint_auth_method": "none", but sends Authorization Basic when it calls token endpoint to exchange Access Token. Since the client type is "Public" when token_endpoint_auth_method is none, it should not send any client authentication data. Our OAuth server detects it as an invalid client.

Request

• Don't send client authentication data(Basic Auth) when token_endpoint_auth_method is none
• Or respect token_endpoint_auth_methods_supported retrieved by Authorization Server Metadata. client_secret_basic and client_secret_post are fine for our case.

Cursor's Dynamic Client Registration request sample

{
  "redirect_uris": [
    "cursor://anysphere.cursor-mcp/oauth/user-mfc-admin-local/callback"
  ],
  "token_endpoint_auth_method": "none",
  "grant_types": ["authorization_code", "refresh_token"],
  "response_types": ["code"],
  "client_name": "Cursor"
}

Cursor's Token Exchange request sample

POST /token HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate
Accept-Language: *
Authorization: Basic MjU1OT(136 length characters)abc
Connection: keep-alive
Content-Length: 272
Content-Type: application/x-www-form-urlencoded
Sec-Fetch-Mode: cors
User-Agent: node

grant_type=authorization_code&code=abcd&code_verifier=efg&redirect_uri=cursor%3A%2F%2Fanysphere.cursor-mcp%2Foauth%2Fuser-mfc-local%2Fcallback&resource=http%3A%2F%2Flocalhost%3A8092%2Fmcp

References

• OAuth 2.0 Dynamic Client Registration Protocol
• OAuth 2.0 Authorization Server Metadata