Context
Primary user-facing flow. Required for any interactive MCP client to obtain tokens after PRM/AS discovery.
Scope
Mcp\Client\Auth\Grant\AuthorizationCodeGrant:
- Generate PKCE
code_verifier + code_challenge (S256).
- Build authorize URL with
client_id, redirect_uri, response_type=code, code_challenge, code_challenge_method, scope, state, resource (audience-binding RFC 8707).
- Pluggable user-agent dispatcher: callback hook so library users can open a browser / present URL in CLI.
- Local loopback redirect listener (default) or custom redirect handler.
- Exchange code → tokens at
token_endpoint; persist via TokenStorageInterface.
- Verify
state round-trip; reject mismatched.
Conformance scenarios unblocked
auth/basic-cimd and prerequisite for all scope/refresh/cross-app scenarios.
Dependencies
Blocked by: #315, #316, #317, #318. Pairs with #319 (token endpoint auth methods).
Acceptance
- Unit tests for PKCE generation + state validation.
- Conformance:
auth/basic-cimd passes.
cc @soyuka
Context
Primary user-facing flow. Required for any interactive MCP client to obtain tokens after PRM/AS discovery.
Scope
Mcp\Client\Auth\Grant\AuthorizationCodeGrant:code_verifier+code_challenge(S256).client_id,redirect_uri,response_type=code,code_challenge,code_challenge_method,scope,state,resource(audience-binding RFC 8707).token_endpoint; persist viaTokenStorageInterface.stateround-trip; reject mismatched.Conformance scenarios unblocked
auth/basic-cimdand prerequisite for all scope/refresh/cross-app scenarios.Dependencies
Blocked by: #315, #316, #317, #318. Pairs with #319 (token endpoint auth methods).
Acceptance
auth/basic-cimdpasses.cc @soyuka