feat: Add Enterprise Managed Authorization (SEP-990) support

conformance-tests/client-jdk-http-client/pom.xml

@@ -31,6 +31,13 @@
 			<version>2.0.0-SNAPSHOT</version>
 		</dependency>
 
+		<!-- mcp-core for EnterpriseAuth / EnterpriseAuthProvider (SEP-990) -->
+		<dependency>
+			<groupId>io.modelcontextprotocol.sdk</groupId>
+			<artifactId>mcp-core</artifactId>
+			<version>2.0.0-SNAPSHOT</version>
+		</dependency>
+
 		<!-- Logging -->
 		<dependency>
 			<groupId>ch.qos.logback</groupId>

conformance-tests/client-jdk-http-client/src/main/java/io/modelcontextprotocol/conformance/client/ConformanceJdkClientMcpClient.java

@@ -2,8 +2,15 @@
 
 import java.time.Duration;
 
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import io.modelcontextprotocol.client.McpClient;
 import io.modelcontextprotocol.client.McpSyncClient;
+import io.modelcontextprotocol.client.auth.DiscoverAndRequestJwtAuthGrantOptions;
+import io.modelcontextprotocol.client.auth.EnterpriseAuth;
+import io.modelcontextprotocol.client.auth.EnterpriseAuthProvider;
+import io.modelcontextprotocol.client.auth.EnterpriseAuthProviderOptions;
 import io.modelcontextprotocol.client.transport.HttpClientStreamableHttpTransport;
 import io.modelcontextprotocol.spec.McpSchema;
 
@@ -53,13 +60,17 @@ public static void main(String[] args) {
 				case "sse-retry":
 					runSSERetryScenario(serverUrl);
 					break;
+				case "auth/cross-app-access-complete-flow":
+					runCrossAppAccessCompleteFlowScenario(serverUrl);
+					break;
 				default:
 					System.err.println("Unknown scenario: " + scenario);
 					System.err.println("Available scenarios:");
 					System.err.println("  - initialize");
 					System.err.println("  - tools_call");
 					System.err.println("  - elicitation-sep1034-client-defaults");
 					System.err.println("  - sse-retry");
+					System.err.println("  - auth/cross-app-access-complete-flow");
 					System.exit(1);
 			}
 			System.exit(0);
@@ -283,4 +294,82 @@ private static void runSSERetryScenario(String serverUrl) throws Exception {
 		}
 	}
 
+	/**
+	 * Cross-App Access scenario: Tests SEP-990 Enterprise Managed Authorization flow.
+	 * <p>
+	 * Reads context from {@code MCP_CONFORMANCE_CONTEXT} (JSON) containing:
+	 * {@code client_id}, {@code client_secret}, {@code idp_client_id},
+	 * {@code idp_id_token}, {@code idp_issuer}, {@code idp_token_endpoint}.
+	 * <p>
+	 * Uses {@link EnterpriseAuthProvider} with an assertion callback that performs RFC
+	 * 8693 token exchange at the IdP, then exchanges the ID-JAG for an access token at
+	 * the MCP authorization server via RFC 7523 JWT Bearer grant.
+	 * @param serverUrl the URL of the MCP server
+	 * @throws Exception if any error occurs during execution
+	 */
+	private static void runCrossAppAccessCompleteFlowScenario(String serverUrl) throws Exception {
+		String contextEnv = System.getenv("MCP_CONFORMANCE_CONTEXT");
+		if (contextEnv == null || contextEnv.isEmpty()) {
+			System.err.println("Error: MCP_CONFORMANCE_CONTEXT environment variable is not set");
+			System.exit(1);
+		}
+
+		CrossAppAccessContext ctx = new ObjectMapper().readValue(contextEnv, CrossAppAccessContext.class);
+
+		java.net.http.HttpClient httpClient = java.net.http.HttpClient.newHttpClient();
+
+		EnterpriseAuthProviderOptions options = EnterpriseAuthProviderOptions.builder()
+			.clientId(ctx.clientId())
+			.clientSecret(ctx.clientSecret())
+			.assertionCallback(assertionCtx -> {
+				// RFC 8693 token exchange at the IdP: ID Token → ID-JAG
+				DiscoverAndRequestJwtAuthGrantOptions jagOptions = DiscoverAndRequestJwtAuthGrantOptions
+					.builder()
+					.idpUrl(ctx.idpIssuer())
+					.idpTokenEndpoint(ctx.idpTokenEndpoint())
+					.idToken(ctx.idpIdToken())
+					.clientId(ctx.idpClientId())
+					.audience(assertionCtx.getAuthorizationServerUrl().toString())
+					.resource(assertionCtx.getResourceUrl().toString())
+					.build();
+				return EnterpriseAuth.discoverAndRequestJwtAuthorizationGrant(jagOptions, httpClient);
+			})
+			.build();
+
+		EnterpriseAuthProvider provider = new EnterpriseAuthProvider(options, httpClient);
+
+		HttpClientStreamableHttpTransport transport = HttpClientStreamableHttpTransport.builder(serverUrl)
+			.httpRequestCustomizer(provider)
+			.build();
+
+		McpSyncClient client = McpClient.sync(transport)
+			.clientInfo(new McpSchema.Implementation("test-client", "1.0.0"))
+			.requestTimeout(Duration.ofSeconds(30))
+			.build();
+
+		try {
+			client.initialize();
+			System.out.println("Successfully connected to MCP server");
+
+			client.listTools();
+			System.out.println("Successfully listed tools");
+		}
+		finally {
+			client.close();
+			System.out.println("Connection closed successfully");
+		}
+	}
+
+	/**
+	 * Context provided by the conformance suite for the cross-app-access-complete-flow
+	 * scenario via the {@code MCP_CONFORMANCE_CONTEXT} environment variable.
+	 */
+	@JsonIgnoreProperties(ignoreUnknown = true)
+	private record CrossAppAccessContext(@JsonProperty("client_id") String clientId,
+			@JsonProperty("client_secret") String clientSecret,
+			@JsonProperty("idp_client_id") String idpClientId,
+			@JsonProperty("idp_id_token") String idpIdToken, @JsonProperty("idp_issuer") String idpIssuer,
+			@JsonProperty("idp_token_endpoint") String idpTokenEndpoint) {
+	}
+
 }

mcp-core/src/main/java/io/modelcontextprotocol/client/auth/AuthServerMetadata.java

@@ -0,0 +1,66 @@
+/*
+ * Copyright 2024-2025 the original author or authors.
+ */
+
+package io.modelcontextprotocol.client.auth;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * OAuth 2.0 Authorization Server Metadata as defined by RFC 8414.
+ * <p>
+ * Used during Enterprise Managed Authorization (SEP-990) to discover the token endpoint
+ * of the enterprise Identity Provider and the MCP authorization server.
+ *
+ * @author MCP SDK Contributors
+ * @see <a href="https://datatracker.ietf.org/doc/html/rfc8414">RFC 8414</a>
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class AuthServerMetadata {
+
+	@JsonProperty("issuer")
+	private String issuer;
+
+	@JsonProperty("token_endpoint")
+	private String tokenEndpoint;
+
+	@JsonProperty("authorization_endpoint")
+	private String authorizationEndpoint;
+
+	@JsonProperty("jwks_uri")
+	private String jwksUri;
+
+	public String getIssuer() {
+		return issuer;
+	}
+
+	public void setIssuer(String issuer) {
+		this.issuer = issuer;
+	}
+
+	public String getTokenEndpoint() {
+		return tokenEndpoint;
+	}
+
+	public void setTokenEndpoint(String tokenEndpoint) {
+		this.tokenEndpoint = tokenEndpoint;
+	}
+
+	public String getAuthorizationEndpoint() {
+		return authorizationEndpoint;
+	}
+
+	public void setAuthorizationEndpoint(String authorizationEndpoint) {
+		this.authorizationEndpoint = authorizationEndpoint;
+	}
+
+	public String getJwksUri() {
+		return jwksUri;
+	}
+
+	public void setJwksUri(String jwksUri) {
+		this.jwksUri = jwksUri;
+	}
+
+}

mcp-core/src/main/java/io/modelcontextprotocol/client/auth/DiscoverAndRequestJwtAuthGrantOptions.java

@@ -0,0 +1,126 @@
+/*
+ * Copyright 2024-2025 the original author or authors.
+ */
+
+package io.modelcontextprotocol.client.auth;
+
+import java.util.Objects;
+
+/**
+ * Options for {@link EnterpriseAuth#discoverAndRequestJwtAuthorizationGrant} — extends
+ * {@link RequestJwtAuthGrantOptions} with IdP discovery support.
+ * <p>
+ * Performs step 1 of the Enterprise Managed Authorization (SEP-990) flow by first
+ * discovering the IdP token endpoint via RFC 8414 metadata discovery, then requesting the
+ * JAG.
+ * <p>
+ * If {@link #getIdpTokenEndpoint()} is provided it is used directly and discovery is
+ * skipped.
+ *
+ * @author MCP SDK Contributors
+ */
+public class DiscoverAndRequestJwtAuthGrantOptions extends RequestJwtAuthGrantOptions {
+
+	/**
+	 * The base URL of the enterprise IdP. Used as the root URL for RFC 8414 discovery
+	 * ({@code /.well-known/oauth-authorization-server} or
+	 * {@code /.well-known/openid-configuration}).
+	 */
+	private final String idpUrl;
+
+	private DiscoverAndRequestJwtAuthGrantOptions(Builder builder) {
+		super(builder);
+		this.idpUrl = Objects.requireNonNull(builder.idpUrl, "idpUrl must not be null");
+	}
+
+	public String getIdpUrl() {
+		return idpUrl;
+	}
+
+	/**
+	 * Returns the optional pre-configured IdP token endpoint. When non-null, RFC 8414
+	 * discovery is skipped and this endpoint is used directly.
+	 * <p>
+	 * This is a convenience method equivalent to {@link #getTokenEndpoint()}.
+	 */
+	public String getIdpTokenEndpoint() {
+		return getTokenEndpoint();
+	}
+
+	public static Builder builder() {
+		return new Builder();
+	}
+
+	public static final class Builder extends RequestJwtAuthGrantOptions.Builder {
+
+		private String idpUrl;
+
+		private Builder() {
+		}
+
+		public Builder idpUrl(String idpUrl) {
+			this.idpUrl = idpUrl;
+			return this;
+		}
+
+		/**
+		 * Optional override for the IdP's token endpoint. When set, RFC 8414 discovery is
+		 * skipped and this endpoint is used directly.
+		 * <p>
+		 * Equivalent to calling {@link #tokenEndpoint(String)}.
+		 */
+		public Builder idpTokenEndpoint(String idpTokenEndpoint) {
+			super.tokenEndpoint(idpTokenEndpoint);
+			return this;
+		}
+
+		@Override
+		public Builder tokenEndpoint(String tokenEndpoint) {
+			super.tokenEndpoint(tokenEndpoint);
+			return this;
+		}
+
+		@Override
+		public Builder idToken(String idToken) {
+			super.idToken(idToken);
+			return this;
+		}
+
+		@Override
+		public Builder clientId(String clientId) {
+			super.clientId(clientId);
+			return this;
+		}
+
+		@Override
+		public Builder clientSecret(String clientSecret) {
+			super.clientSecret(clientSecret);
+			return this;
+		}
+
+		@Override
+		public Builder audience(String audience) {
+			super.audience(audience);
+			return this;
+		}
+
+		@Override
+		public Builder resource(String resource) {
+			super.resource(resource);
+			return this;
+		}
+
+		@Override
+		public Builder scope(String scope) {
+			super.scope(scope);
+			return this;
+		}
+
+		@Override
+		public DiscoverAndRequestJwtAuthGrantOptions build() {
+			return new DiscoverAndRequestJwtAuthGrantOptions(this);
+		}
+
+	}
+
+}