make consent optional, default true

modelcontextprotocol · pcarleton · May 2, 2025 · May 7, 2025 · May 7, 2025 · May 7, 2025
commit e05f0b6f27a422cbf49ba4b0ae52c499aea4dafa
diff --git a/src/mcp/server/auth/handlers/consent.py b/src/mcp/server/auth/handlers/consent.py
@@ -1,5 +1,6 @@
+from abc import ABC, abstractmethod
 from dataclasses import dataclass
-from typing import Any
+from typing import Any, Optional
 from urllib.parse import urlencode
 
 from starlette.requests import Request
@@ -9,8 +10,27 @@
 from mcp.server.auth.provider import OAuthAuthorizationServerProvider
 
 
+class AbstractConsentHandler(ABC):
+    """Abstract base class for handling OAuth consent operations."""
+
+    @abstractmethod
+    async def handle(self, request: Request) -> Response:
+        """Handle consent requests - both showing the form and processing submissions."""
+        pass
+
+    @abstractmethod
+    async def _show_consent_form(self, request: Request) -> Response:
+        """Display the consent form to the user."""
+        pass
+
+    @abstractmethod
+    async def _process_consent(self, request: Request) -> Response:
+        """Process the user's consent decision."""
+        pass
+
+
 @dataclass
-class ConsentHandler:
+class ConsentHandler(AbstractConsentHandler):
     provider: OAuthAuthorizationServerProvider[Any, Any, Any]
 
     async def handle(self, request: Request) -> Response:
@@ -157,7 +177,7 @@ async def _show_consent_form(self, request: Request) -> HTMLResponse:
 """
         return HTMLResponse(content=html_content)
 
-    async def _process_consent(self, request: Request) -> RedirectResponse:
+    async def _process_consent(self, request: Request) -> RedirectResponse | HTMLResponse:
         form_data = await request.form()
         action = form_data.get("action")
 

diff --git a/src/mcp/server/auth/routes.py b/src/mcp/server/auth/routes.py
@@ -115,13 +115,6 @@ def create_auth_routes(
             ),
             methods=["POST", "OPTIONS"],
         ),
-        Route(
-            CONSENT_PATH,
-            # do not allow CORS for consent endpoint;
-            # clients should just redirect to this
-            endpoint=ConsentHandler(provider).handle,
-            methods=["GET", "POST"],
-        ),
     ]
 
     if client_registration_options.enabled:
@@ -140,6 +133,18 @@ def create_auth_routes(
             )
         )
 
+        if client_registration_options.client_consent_required:
+            consent_path: str = client_registration_options.client_consent_path or CONSENT_PATH
+            routes.append(
+                Route(
+                    consent_path,
+                    # do not allow CORS for consent endpoint;
+                    # clients should just redirect to this
+                    endpoint=ConsentHandler(provider).handle,
+                    methods=["GET", "POST"],
+                ),
+            )
+
     if revocation_options.enabled:
         revocation_handler = RevocationHandler(provider, client_authenticator)
         routes.append(

diff --git a/src/mcp/server/auth/settings.py b/src/mcp/server/auth/settings.py
@@ -6,6 +6,8 @@ class ClientRegistrationOptions(BaseModel):
     client_secret_expiry_seconds: int | None = None
     valid_scopes: list[str] | None = None
     default_scopes: list[str] | None = None
+    client_consent_required: bool = True
+    client_consent_path: str | None = None
 
 
 class RevocationOptions(BaseModel):