d365fo-client 0.3.0__tar.gz → 0.3.1__tar.gz

{d365fo_client-0.3.0/src/d365fo_client.egg-info → d365fo_client-0.3.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: d365fo-client
-Version: 0.3.0
+Version: 0.3.1
 Summary: Microsoft Dynamics 365 Finance & Operations client
 Author-email: Muhammad Afzaal <mo@thedataguy.pro>
 License-Expression: MIT

{d365fo_client-0.3.0 → d365fo_client-0.3.1}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "d365fo-client"
-version = "0.3.0"
+version = "0.3.1"
 description = "Microsoft Dynamics 365 Finance & Operations client"
 readme = "README.md"
 license = "MIT"

d365fo_client-0.3.1/src/d365fo_client/mcp/auth_server/auth/providers/apikey.py

@@ -0,0 +1,83 @@
+"""API Key authentication provider for FastMCP.
+
+This provider implements simple API key authentication using the Authorization header.
+Suitable for service-to-service authentication and simpler deployment scenarios.
+
+IMPORTANT: FastMCP uses BearerAuthBackend which extracts tokens from the Authorization header
+and calls token_verifier.verify_token(). Clients must send the API key as:
+    Authorization: Bearer <your-api-key>
+
+The token_verifier.verify_token() method performs constant-time comparison of the API key.
+"""
+
+from __future__ import annotations
+
+import secrets
+
+from pydantic import SecretStr
+
+from ..auth import AccessToken, TokenVerifier
+from d365fo_client.mcp.utilities.logging import get_logger
+
+logger = get_logger(__name__)
+
+
+class APIKeyVerifier(TokenVerifier):
+    """API Key token verifier for FastMCP.
+
+    This is a TokenVerifier that validates API keys sent as Bearer tokens.
+    FastMCP's BearerAuthBackend extracts the token from "Authorization: Bearer <token>"
+    and passes it to this verifier's verify_token() method.
+
+    This is a simpler alternative to OAuth for scenarios where:
+    - Service-to-service authentication is needed
+    - Simplified deployment without OAuth infrastructure
+    - Single-user or trusted client scenarios
+
+    Security features:
+    - Constant-time comparison to prevent timing attacks
+    - SecretStr storage to prevent accidental logging
+    - No token expiration (suitable for long-lived API keys)
+    """
+
+    def __init__(
+        self,
+        api_key: SecretStr,
+        base_url: str | None = None,
+        required_scopes: list[str] | None = None,
+    ):
+        """Initialize API key provider.
+
+        Args:
+            api_key: The secret API key value
+            base_url: Base URL of the server
+            required_scopes: Required scopes (for compatibility, not enforced for API keys)
+        """
+        super().__init__(base_url=base_url, required_scopes=required_scopes)
+        self.api_key = api_key
+
+    async def verify_token(self, token: str) -> AccessToken | None:
+        """Verify API key token.
+
+        This method is called by FastMCP's BearerAuthBackend after extracting
+        the token from "Authorization: Bearer <token>" header.
+
+        Args:
+            token: The API key extracted from the Authorization header
+
+        Returns:
+            AccessToken if valid, None otherwise
+        """
+        # Constant-time comparison to prevent timing attacks
+        if secrets.compare_digest(token, self.api_key.get_secret_value()):
+            logger.debug("API key authentication successful")
+            return AccessToken(
+                token=token,
+                scopes=self.required_scopes or [],
+                client_id="api_key_client",  # Fixed client_id for API key auth
+                expires_at=None,  # API keys don't expire
+                resource=None,
+            )
+
+        logger.warning("Invalid API key provided")
+        return None

{d365fo_client-0.3.0 → d365fo_client-0.3.1}/src/d365fo_client/mcp/auth_server/auth/providers/azure.py

@@ -284,42 +284,110 @@ class AzureProvider(OAuthProxy):
 
     async def register_client(self, client_info: OAuthClientInformationFull) -> None:
         """Register a new MCP client, validating redirect URIs if configured."""
-        result = await super().register_client(client_info)
-        self._save_clients()
-        return result
+        await super().register_client(client_info)
+        try:
+            self._save_clients()
+        except Exception as e:
+            logger.error(f"Failed to persist client registration: {e}")
+            # Don't raise here as the client is already registered in memory
 
-    def _save_clients(self) -> str | None:
+    def _save_clients(self) -> None:
+        """Save client data to persistent storage.
+        
+        Raises:
+            ValueError: If clients_storage_path is not configured
+            OSError: If file operations fail
+        """
         if not self.clients_storage_path:
             logger.warning("No clients storage path configured. Skipping client save.")
-            return None
+            return
         
-        # Store self._clients to clients.json
         try:
-            client_json_path = Path(self.clients_storage_path) / "clients.json"
+            # Ensure the storage directory exists
+            storage_dir = Path(self.clients_storage_path)
+            storage_dir.mkdir(parents=True, exist_ok=True)
+            
+            client_json_path = storage_dir / "clients.json"
+            
             # Convert OAuthClientInformationFull objects to dictionaries for JSON serialization
-            clients_dict = {
-                client_id: client.model_dump() if hasattr(client, 'model_dump') else client.__dict__
-                for client_id, client in self._clients.items()
-            }
-            with client_json_path.open("w") as f:
-                json.dump(clients_dict, f, indent=2)
+            # Use mode="json" to properly serialize complex types like AnyUrl
+            clients_dict = {}
+            for client_id, client in self._clients.items():
+                try:
+                    if hasattr(client, 'model_dump'):
+                        # Use json mode to ensure proper serialization of complex types (e.g., AnyUrl)
+                        clients_dict[client_id] = client.model_dump(mode="json")
+                    else:
+                        # Fallback for non-Pydantic objects (shouldn't happen with OAuthClientInformationFull)
+                        clients_dict[client_id] = client.__dict__
+                except Exception as client_error:
+                    logger.error(f"Failed to serialize client {client_id}: {client_error}")
+                    continue
+            
+            # Write to temporary file first, then rename for atomic operation
+            temp_path = client_json_path.with_suffix('.tmp')
+            with temp_path.open("w") as f:
+                json.dump(clients_dict, f, indent=2, ensure_ascii=False)
+            
+            # Atomic rename
+            temp_path.replace(client_json_path)
+            
+            logger.debug(f"Successfully saved {len(clients_dict)} clients to {client_json_path}")
+            
         except Exception as e:
-            logger.error(f"Failed to write client data to {client_json_path}: {e}")
+            logger.error(f"Failed to save client data to {self.clients_storage_path}: {e}")
+            raise
 
     def _load_clients(self) -> None:
+        """Load client data from persistent storage.
+        
+        Loads clients from the JSON file if it exists and is valid.
+        Invalid client data is logged and skipped.
+        """
         if not self.clients_storage_path:
+            logger.debug("No clients storage path configured. Skipping client load.")
             return
         
-         # Load existing clients from storage if path is provided
-    
         try:
             client_json_path = Path(self.clients_storage_path) / "clients.json"
-            if client_json_path.exists():
-                with client_json_path.open("r") as f:
-                    clients_data = json.load(f)
-                    for client_id, client_info in clients_data.items():
-                        # Ensure client_id is a string (it should be from JSON, but type checking requires this)
-                        if isinstance(client_id, str):
-                            self._clients[client_id] = OAuthClientInformationFull.model_validate(client_info)
+            
+            if not client_json_path.exists():
+                logger.debug(f"Client storage file {client_json_path} does not exist. Starting with empty client registry.")
+                return
+            
+            # Read and parse the JSON file
+            with client_json_path.open("r", encoding="utf-8") as f:
+                clients_data = json.load(f)
+            
+            if not isinstance(clients_data, dict):
+                logger.error(f"Invalid client data format in {client_json_path}: expected dict, got {type(clients_data)}")
+                return
+            
+            loaded_count = 0
+            for client_id, client_info in clients_data.items():
+                try:
+                    # Validate client_id is a string
+                    if not isinstance(client_id, str):
+                        logger.warning(f"Skipping client with non-string ID: {client_id} (type: {type(client_id)})")
+                        continue
+                    
+                    # Validate and restore the client object
+                    if not isinstance(client_info, dict):
+                        logger.warning(f"Skipping client {client_id}: invalid data format (expected dict, got {type(client_info)})")
+                        continue
+                    
+                    # Use Pydantic model_validate to restore the object with proper validation
+                    client_obj = OAuthClientInformationFull.model_validate(client_info)
+                    self._clients[client_id] = client_obj
+                    loaded_count += 1
+                    
+                except Exception as client_error:
+                    logger.error(f"Failed to load client {client_id}: {client_error}")
+                    continue
+            
+            logger.info(f"Successfully loaded {loaded_count} clients from {client_json_path}")
+            
+        except json.JSONDecodeError as e:
+            logger.error(f"Invalid JSON in client storage file {client_json_path}: {e}")
         except Exception as e:
             logger.error(f"Failed to load clients from {client_json_path}: {e}")

{d365fo_client-0.3.0 → d365fo_client-0.3.1}/src/d365fo_client/mcp/fastmcp_main.py

@@ -19,6 +19,7 @@ from d365fo_client.mcp.fastmcp_utils import create_default_profile_if_needed, lo
 from d365fo_client.profile_manager import ProfileManager
 from d365fo_client.settings import get_settings
 from mcp.server.auth.settings import  AuthSettings,ClientRegistrationOptions
+from d365fo_client.mcp.auth_server.auth.providers.apikey import APIKeyVerifier
 
 
 
@@ -120,6 +121,7 @@ Environment Variables:
   D365FO_MCP_AUTH_TENANT_ID    Azure AD tenant ID for authentication
   D365FO_MCP_AUTH_BASE_URL     http://localhost:8000
   D365FO_MCP_AUTH_REQUIRED_SCOPES  User.Read,email,openid,profile
+  D365FO_MCP_API_KEY_VALUE      API key for authentication (send as: Authorization: Bearer <key>)
   D365FO_LOG_LEVEL               Logging level (DEBUG, INFO, WARNING, ERROR)
   D365FO_LOG_FILE                Custom log file path (default: ~/.d365fo-mcp/logs/fastmcp-server.log)
   D365FO_META_CACHE_DIR          Metadata cache directory (default: ~/.d365fo-mcp/cache)
@@ -254,63 +256,93 @@ logger.info(f"Startup Mode: {settings.get_startup_mode()}")
 logger.info(f"Client Credentials: {'Configured' if settings.has_client_credentials() else 'Not configured'}")
 logger.info("====================================")
 
-if is_remote_transport and not settings.has_mcp_auth_credentials():
+# Validate authentication for remote transports
+if is_remote_transport:
+    has_oauth = settings.has_mcp_auth_credentials()
+    has_api_key = settings.has_mcp_api_key_auth()
+
+    # Must have either OAuth or API key
+    if not has_oauth and not has_api_key:
+        logger.error(
+            "Error: Remote transports (SSE/HTTP) require authentication. "
+            "Please configure either:\n"
+            "  OAuth: D365FO_MCP_AUTH_CLIENT_ID, D365FO_MCP_AUTH_CLIENT_SECRET, "
+            "D365FO_MCP_AUTH_TENANT_ID, D365FO_MCP_AUTH_BASE_URL, D365FO_MCP_AUTH_REQUIRED_SCOPES\n"
+            "  OR\n"
+            "  API Key: D365FO_MCP_API_KEY_VALUE, D365FO_MCP_API_KEY_HEADER_NAME (optional)"
+        )
+        sys.exit(1)
 
-    logger.error("Warning: Client credentials (D365FO_MCP_AUTH_CLIENT_ID and D365FO_MCP_AUTH_CLIENT_SECRET, D365FO_MCP_AUTH_TENANT_ID,D365FO_MCP_AUTH_BASE_URL and D365FO_MCP_AUTH_REQUIRED_SCOPES) are not set. " +
-                   "Remote transports require authentication to the D365FO environment.")
-    sys.exit(1)    
+    # OAuth takes precedence if both are configured
+    if has_oauth and has_api_key:
+        logger.warning(
+            "Both OAuth and API Key authentication configured. "
+            "Using OAuth (takes precedence)."
+        )    
 
-auth_provider: AzureProvider | None = None
+# Initialize authentication provider
+auth_provider: AzureProvider | APIKeyVerifier | None = None  # type: ignore
 auth: AuthSettings | None = None
 
 if is_remote_transport:
-    assert settings.mcp_auth_client_id is not None
-    assert settings.mcp_auth_client_secret is not None
-    assert settings.mcp_auth_tenant_id is not None
-    assert settings.mcp_auth_base_url is not None
-    assert settings.mcp_auth_required_scopes is not None
-    required_scopes=settings.mcp_auth_required_scopes_list()
-
-    # if "AX.FullAccess" not in required_scopes:
-    #     logger.warning("Warning: 'AX.FullAccess' scope is not supported. Adding it automatically.")
-    #     required_scopes.append("https://erp.dynamics.com/AX.FullAccess")
-
-    # Initialize authorization settings
-    auth_provider = AzureProvider(
-        client_id=settings.mcp_auth_client_id,  # Your Azure App Client ID
-        client_secret=settings.mcp_auth_client_secret,                 # Your Azure App Client Secret
-        tenant_id=settings.mcp_auth_tenant_id, # Your Azure Tenant ID (REQUIRED)
-        base_url=settings.mcp_auth_base_url,                   # Must match your App registration
-        required_scopes=required_scopes or ["User.Read"],  # type: ignore # Scopes your app needs
-        redirect_path="/auth/callback",  # Ensure callback path is explicit
-        clients_storage_path=config_path or ...
-    )
-    from mcp.shared.auth import OAuthClientInformationFull
-
-    # auth_provider._clients["eae68fdd-610b-47c5-9907-709c7452f1b3"] = OAuthClientInformationFull(
-    #     client_id="5eae68fdd-610b-47c5-9907-709c7452f1b3",
-    #     client_name="Test Client",
-    #     redirect_uris=[AnyUrl("http://127.0.0.1:33418")],
-    #     scope=",".join(required_scopes)
-    # )
-
+    has_oauth = settings.has_mcp_auth_credentials()
+    has_api_key = settings.has_mcp_api_key_auth()
+
+    if has_oauth:
+        # OAuth authentication setup
+        logger.info("Initializing OAuth authentication with Azure AD")
+
+        assert settings.mcp_auth_client_id is not None
+        assert settings.mcp_auth_client_secret is not None
+        assert settings.mcp_auth_tenant_id is not None
+        assert settings.mcp_auth_base_url is not None
+        assert settings.mcp_auth_required_scopes is not None
+        required_scopes = settings.mcp_auth_required_scopes_list()
+
+        # Initialize authorization settings
+        auth_provider = AzureProvider(
+            client_id=settings.mcp_auth_client_id,
+            client_secret=settings.mcp_auth_client_secret,
+            tenant_id=settings.mcp_auth_tenant_id,
+            base_url=settings.mcp_auth_base_url,
+            required_scopes=required_scopes or ["User.Read"],  # type: ignore
+            redirect_path="/auth/callback",
+            clients_storage_path=config_path or ...
+        )
 
-    auth=AuthSettings(
+        auth = AuthSettings(
             issuer_url=AnyHttpUrl(settings.mcp_auth_base_url),
             client_registration_options=ClientRegistrationOptions(
                 enabled=True,
-                valid_scopes=required_scopes or ["User.Read"], # type: ignore
-                default_scopes=required_scopes or ["User.Read"], # type: ignore
+                valid_scopes=required_scopes or ["User.Read"],  # type: ignore
+                default_scopes=required_scopes or ["User.Read"],  # type: ignore
             ),
-            required_scopes=required_scopes or ["User.Read"], # type: ignore
+            required_scopes=required_scopes or ["User.Read"],  # type: ignore
             resource_server_url=AnyHttpUrl(settings.mcp_auth_base_url),
-            
+        )
+
+    elif has_api_key:
+        # API Key authentication setup
+        logger.info("Initializing API Key authentication")
+
+        from d365fo_client.mcp.auth_server.auth.providers.apikey import APIKeyVerifier
+
+        auth_provider = APIKeyVerifier(  # type: ignore
+            api_key=settings.mcp_api_key_value,  # type: ignore
+            base_url=settings.mcp_auth_base_url,
+        )
+
+        # For API Key authentication
+        auth = AuthSettings(
+            issuer_url=AnyHttpUrl(settings.mcp_auth_base_url) if settings.mcp_auth_base_url else AnyHttpUrl("http://localhost"),
+            resource_server_url=None
         )
 
 # Initialize FastMCP server with configuration
 mcp = FastMCP(
     name=server_config.get("name", "d365fo-mcp-server"),
-    auth_server_provider=auth_provider,
+    auth_server_provider=auth_provider if isinstance(auth_provider, AzureProvider) else None,
+    token_verifier=auth_provider if isinstance(auth_provider, APIKeyVerifier) else None,
     auth=auth,
     instructions=server_config.get(
         "instructions",
@@ -326,16 +358,33 @@ mcp = FastMCP(
 
 )
 
-if is_remote_transport:
+# Add OAuth callback route only for Azure OAuth provider
+if is_remote_transport and isinstance(auth_provider, AzureProvider):
     from starlette.requests import Request
     from starlette.responses import RedirectResponse
-    
+
     @mcp.custom_route(path=auth_provider._redirect_path, methods=["GET"]) # type: ignore
     async def handle_idp_callback(request: Request) -> RedirectResponse:
         return await auth_provider._handle_idp_callback(request) # type: ignore
 
+# Initialize FastD365FOMCPServer
 server = FastD365FOMCPServer(mcp, config, profile_manager=profile_manager)
 
+# Configure API Key authentication if enabled
+if is_remote_transport:
+    from d365fo_client.mcp.auth_server.auth.providers.apikey import APIKeyVerifier
+
+    if isinstance(auth_provider, APIKeyVerifier):
+
+        logger.info("API Key authentication configured successfully")
+        logger.info("=" * 60)
+        logger.info("IMPORTANT: Clients must authenticate using:")
+        logger.info("  Authorization: Bearer <your-api-key>")
+        logger.info("")
+        logger.info("Example:")
+        logger.info(f"  curl -H 'Authorization: Bearer YOUR_KEY' http://localhost:{transport_config.get('http', {}).get('port', 8000)}/")
+        logger.info("=" * 60)
+
 logger.info("FastD365FOMCPServer initialized successfully")
 
 

{d365fo_client-0.3.0 → d365fo_client-0.3.1}/src/d365fo_client/settings.py

@@ -5,7 +5,7 @@ from enum import Enum
 from pathlib import Path
 from typing import Literal, Optional
 
-from pydantic import Field, field_validator
+from pydantic import Field, SecretStr, field_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
 from .utils import get_default_cache_directory
@@ -104,7 +104,15 @@ class D365FOSettings(BaseSettings):
         description="MCP authentication required scopes (comma-separated)",
         alias="D365FO_MCP_AUTH_REQUIRED_SCOPES"
     )
-    
+
+    # === MCP API Key Authentication Settings ===
+
+    mcp_api_key_value: Optional[SecretStr] = Field(
+        default=None,
+        description="API key value for authentication (send as Authorization: Bearer <key>)",
+        alias="D365FO_MCP_API_KEY_VALUE"
+    )
+
     # === MCP Server Transport Settings ===
     
     mcp_transport: TransportProtocol = Field(
@@ -285,6 +293,10 @@ class D365FOSettings(BaseSettings):
     def has_mcp_auth_credentials(self) -> bool:
         """Check if MCP authentication credentials are configured."""
         return all([self.mcp_auth_client_id, self.mcp_auth_client_secret, self.mcp_auth_tenant_id])
+
+    def has_mcp_api_key_auth(self) -> bool:
+        """Check if API key authentication is configured."""
+        return self.mcp_api_key_value is not None
     
     def get_startup_mode(self) -> Literal["profile_only", "default_auth", "client_credentials"]:
         """Determine startup mode based on configuration."""

{d365fo_client-0.3.0 → d365fo_client-0.3.1/src/d365fo_client.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: d365fo-client
-Version: 0.3.0
+Version: 0.3.1
 Summary: Microsoft Dynamics 365 Finance & Operations client
 Author-email: Muhammad Afzaal <mo@thedataguy.pro>
 License-Expression: MIT

{d365fo_client-0.3.0 → d365fo_client-0.3.1}/src/d365fo_client.egg-info/SOURCES.txt

@@ -42,6 +42,7 @@ src/d365fo_client/mcp/auth_server/auth/auth.py
 src/d365fo_client/mcp/auth_server/auth/oauth_proxy.py
 src/d365fo_client/mcp/auth_server/auth/redirect_validation.py
 src/d365fo_client/mcp/auth_server/auth/providers/__init__.py
+src/d365fo_client/mcp/auth_server/auth/providers/apikey.py
 src/d365fo_client/mcp/auth_server/auth/providers/azure.py
 src/d365fo_client/mcp/auth_server/auth/providers/bearer.py
 src/d365fo_client/mcp/auth_server/auth/providers/jwt.py
@@ -84,4 +85,5 @@ src/d365fo_client/metadata_v2/label_utils.py
 src/d365fo_client/metadata_v2/search_engine_v2.py
 src/d365fo_client/metadata_v2/sync_manager_v2.py
 src/d365fo_client/metadata_v2/sync_session_manager.py
-src/d365fo_client/metadata_v2/version_detector.py
+src/d365fo_client/metadata_v2/version_detector.py
+tests/test_azure_provider_persistence.py

d365fo_client-0.3.1/tests/test_azure_provider_persistence.py

@@ -0,0 +1,394 @@
+"""
+Test cases for Azure OAuth provider client persistence functionality.
+
+This module tests the save/load functionality for OAuth client data
+in the Azure provider, including serialization, deserialization,
+error handling, and edge cases.
+"""
+
+import json
+import tempfile
+import pytest
+from pathlib import Path
+from unittest.mock import patch, MagicMock
+from pydantic import AnyUrl
+
+from mcp.shared.auth import OAuthClientInformationFull
+
+from d365fo_client.mcp.auth_server.auth.providers.azure import AzureProvider, AzureProviderSettings
+
+
+class TestAzureProviderPersistence:
+    """Test cases for Azure provider client persistence."""
+
+    @pytest.fixture
+    def temp_storage_dir(self):
+        """Create a temporary directory for testing storage."""
+        with tempfile.TemporaryDirectory() as temp_dir:
+            yield temp_dir
+
+    @pytest.fixture
+    def minimal_settings(self):
+        """Minimal settings for testing."""
+        return {
+            "client_id": "test-client-id",
+            "client_secret": "test-client-secret",
+            "tenant_id": "test-tenant-id",
+            "base_url": "http://localhost:8000",
+        }
+
+    @pytest.fixture
+    def sample_client_data(self):
+        """Sample OAuth client data for testing."""
+        return OAuthClientInformationFull(
+            client_id="test-oauth-client-123",
+            client_secret="oauth-secret-456",
+            client_name="Test OAuth Client",
+            scope="User.Read email openid profile",
+            redirect_uris=[
+                AnyUrl("http://localhost:3000/callback"),
+                AnyUrl("https://example.com/auth/callback"),
+            ],
+        )
+
+    @pytest.fixture
+    def azure_provider(self, minimal_settings, temp_storage_dir):
+        """Create an Azure provider instance for testing."""
+        settings = {**minimal_settings, "clients_storage_path": temp_storage_dir}
+        return AzureProvider(**settings)
+
+    def test_save_clients_creates_directory(self, azure_provider, sample_client_data, temp_storage_dir):
+        """Test that _save_clients creates the storage directory if it doesn't exist."""
+        # Remove the directory to test creation
+        storage_path = Path(temp_storage_dir)
+        storage_path.rmdir()
+        assert not storage_path.exists()
+
+        # Add a test client and save
+        azure_provider._clients["test-id"] = sample_client_data
+        azure_provider._save_clients()
+
+        # Verify directory was created and file exists
+        assert storage_path.exists()
+        assert (storage_path / "clients.json").exists()
+
+    def test_save_clients_success(self, azure_provider, sample_client_data, temp_storage_dir):
+        """Test successful client data saving."""
+        # Add test client
+        client_id = "test-client-123"
+        azure_provider._clients[client_id] = sample_client_data
+
+        # Save clients
+        azure_provider._save_clients()
+
+        # Verify file was created
+        json_path = Path(temp_storage_dir) / "clients.json"
+        assert json_path.exists()
+
+        # Verify content
+        with json_path.open("r") as f:
+            saved_data = json.load(f)
+
+        assert client_id in saved_data
+        client_data = saved_data[client_id]
+        assert client_data["client_id"] == sample_client_data.client_id
+        assert client_data["client_name"] == sample_client_data.client_name
+        assert client_data["scope"] == sample_client_data.scope
+        
+        # Verify redirect_uris are properly serialized as strings
+        assert isinstance(client_data["redirect_uris"], list)
+        assert all(isinstance(uri, str) for uri in client_data["redirect_uris"])
+        assert "http://localhost:3000/callback" in client_data["redirect_uris"]
+
+    def test_save_clients_no_storage_path(self, minimal_settings, sample_client_data):
+        """Test save_clients when no storage path is configured."""
+        # Create provider without storage path
+        provider = AzureProvider(**minimal_settings)
+        provider._clients["test"] = sample_client_data
+
+        # Should not raise an error, just log a warning
+        provider._save_clients()  # Should complete without error
+
+    def test_save_clients_individual_client_error(self, azure_provider, sample_client_data, temp_storage_dir):
+        """Test save_clients handles individual client serialization errors gracefully."""
+        # Add a good client
+        good_client = sample_client_data
+        azure_provider._clients["good-client"] = good_client
+
+        # Add a bad client (mock to cause serialization error)
+        bad_client = MagicMock()
+        bad_client.model_dump.side_effect = ValueError("Serialization error")
+        azure_provider._clients["bad-client"] = bad_client
+
+        # Save should succeed, skipping the bad client
+        azure_provider._save_clients()
+
+        # Verify only good client was saved
+        json_path = Path(temp_storage_dir) / "clients.json"
+        with json_path.open("r") as f:
+            saved_data = json.load(f)
+
+        assert "good-client" in saved_data
+        assert "bad-client" not in saved_data
+
+    def test_save_clients_atomic_write(self, azure_provider, sample_client_data, temp_storage_dir):
+        """Test that save_clients uses atomic write operations."""
+        # Add test client
+        azure_provider._clients["test"] = sample_client_data
+
+        json_path = Path(temp_storage_dir) / "clients.json"
+        temp_path = json_path.with_suffix('.tmp')
+
+        # Mock to verify temporary file usage
+        original_replace = Path.replace
+        replace_called = []
+
+        def mock_replace(self, target):
+            replace_called.append((str(self), str(target)))
+            return original_replace(self, target)
+
+        with patch.object(Path, 'replace', mock_replace):
+            azure_provider._save_clients()
+
+        # Verify atomic rename was used
+        assert len(replace_called) == 1
+        assert replace_called[0][0].endswith('.tmp')
+        assert replace_called[0][1] == str(json_path)
+
+    def test_load_clients_success(self, azure_provider, sample_client_data, temp_storage_dir):
+        """Test successful client data loading."""
+        # Create test data file
+        client_id = "test-client-123"
+        test_data = {
+            client_id: sample_client_data.model_dump(mode="json")
+        }
+
+        json_path = Path(temp_storage_dir) / "clients.json"
+        with json_path.open("w") as f:
+            json.dump(test_data, f)
+
+        # Load clients
+        azure_provider._load_clients()
+
+        # Verify client was loaded
+        assert client_id in azure_provider._clients
+        loaded_client = azure_provider._clients[client_id]
+        assert isinstance(loaded_client, OAuthClientInformationFull)
+        assert loaded_client.client_id == sample_client_data.client_id
+        assert loaded_client.client_name == sample_client_data.client_name
+        assert loaded_client.scope == sample_client_data.scope
+
+        # Verify redirect_uris are properly restored as AnyUrl objects
+        assert len(loaded_client.redirect_uris) == len(sample_client_data.redirect_uris)
+        for loaded_uri, original_uri in zip(loaded_client.redirect_uris, sample_client_data.redirect_uris):
+            assert str(loaded_uri) == str(original_uri)
+
+    def test_load_clients_no_storage_path(self, minimal_settings):
+        """Test load_clients when no storage path is configured."""
+        provider = AzureProvider(**minimal_settings)
+        provider._load_clients()  # Should complete without error
+
+    def test_load_clients_no_file(self, azure_provider):
+        """Test load_clients when storage file doesn't exist."""
+        azure_provider._load_clients()  # Should complete without error
+        assert len(azure_provider._clients) == 0
+
+    def test_load_clients_invalid_json(self, azure_provider, temp_storage_dir):
+        """Test load_clients with invalid JSON file."""
+        # Create invalid JSON file
+        json_path = Path(temp_storage_dir) / "clients.json"
+        with json_path.open("w") as f:
+            f.write("{ invalid json }")
+
+        # Should handle error gracefully
+        azure_provider._load_clients()
+        assert len(azure_provider._clients) == 0
+
+    def test_load_clients_invalid_data_format(self, azure_provider, temp_storage_dir):
+        """Test load_clients with invalid data format (not a dict)."""
+        # Create file with invalid format
+        json_path = Path(temp_storage_dir) / "clients.json"
+        with json_path.open("w") as f:
+            json.dump(["not", "a", "dict"], f)
+
+        # Should handle error gracefully
+        azure_provider._load_clients()
+        assert len(azure_provider._clients) == 0
+
+    def test_load_clients_individual_client_error(self, azure_provider, sample_client_data, temp_storage_dir):
+        """Test load_clients handles individual client validation errors gracefully."""
+        # Create test data with one good and one bad client
+        good_client_data = sample_client_data.model_dump(mode="json")
+        bad_client_data = {"client_id": "bad", "invalid_field": "invalid"}
+
+        test_data = {
+            "good-client": good_client_data,
+            "bad-client": bad_client_data,
+        }
+
+        json_path = Path(temp_storage_dir) / "clients.json"
+        with json_path.open("w") as f:
+            json.dump(test_data, f)
+
+        # Load should succeed, skipping the bad client
+        azure_provider._load_clients()
+
+        assert "good-client" in azure_provider._clients
+        assert "bad-client" not in azure_provider._clients
+        assert isinstance(azure_provider._clients["good-client"], OAuthClientInformationFull)
+
+    def test_load_clients_non_string_client_id(self, azure_provider, sample_client_data, temp_storage_dir):
+        """Test load_clients handles non-string client IDs gracefully."""
+        # Create test data with non-string client ID
+        good_client_data = sample_client_data.model_dump(mode="json")
+        test_data = {
+            "good-client": good_client_data,
+            # Note: JSON will convert numeric keys to strings, so we need to test this differently
+            # Instead, let's test that our validation catches non-string keys in the loading logic
+        }
+
+        json_path = Path(temp_storage_dir) / "clients.json"
+        with json_path.open("w") as f:
+            json.dump(test_data, f)
+
+        # Load should succeed with just the good client
+        azure_provider._load_clients()
+
+        assert "good-client" in azure_provider._clients
+        assert len(azure_provider._clients) == 1
+
+    def test_round_trip_persistence(self, azure_provider, sample_client_data, temp_storage_dir):
+        """Test complete save/load round trip."""
+        client_id = "round-trip-test"
+        
+        # Add client and save
+        azure_provider._clients[client_id] = sample_client_data
+        azure_provider._save_clients()
+
+        # Clear clients and reload
+        azure_provider._clients.clear()
+        azure_provider._load_clients()
+
+        # Verify data integrity
+        assert client_id in azure_provider._clients
+        loaded_client = azure_provider._clients[client_id]
+        
+        # Compare all important fields
+        assert loaded_client.client_id == sample_client_data.client_id
+        assert loaded_client.client_secret == sample_client_data.client_secret
+        assert loaded_client.client_name == sample_client_data.client_name
+        assert loaded_client.scope == sample_client_data.scope
+        assert len(loaded_client.redirect_uris) == len(sample_client_data.redirect_uris)
+        
+        for loaded_uri, original_uri in zip(loaded_client.redirect_uris, sample_client_data.redirect_uris):
+            assert str(loaded_uri) == str(original_uri)
+
+    async def test_register_client_persistence(self, azure_provider, sample_client_data):
+        """Test that register_client properly persists the client data."""
+        # Mock the super().register_client to avoid complex setup
+        with patch.object(azure_provider.__class__.__bases__[0], 'register_client') as mock_register:
+            mock_register.return_value = None
+            
+            # Register client
+            client_id = "register-test"
+            azure_provider._clients[client_id] = sample_client_data
+            
+            # This should trigger save
+            await azure_provider.register_client(sample_client_data)
+
+        # Verify file was created (basic check since we mocked the registration)
+        json_path = Path(azure_provider.clients_storage_path) / "clients.json"
+        assert json_path.exists()
+
+    def test_load_clients_called_during_init(self, minimal_settings, temp_storage_dir):
+        """Test that _load_clients is called during provider initialization."""
+        # Create a test client file
+        test_data = {
+            "init-test": {
+                "client_id": "init-client",
+                "redirect_uris": ["http://localhost:8080/"],
+                "client_name": "Init Test Client"
+            }
+        }
+
+        json_path = Path(temp_storage_dir) / "clients.json"
+        with json_path.open("w") as f:
+            json.dump(test_data, f)
+
+        # Create provider (should load existing clients)
+        settings = {**minimal_settings, "clients_storage_path": temp_storage_dir}
+        provider = AzureProvider(**settings)
+
+        # Verify client was loaded during initialization
+        assert "init-test" in provider._clients
+        assert provider._clients["init-test"].client_id == "init-client"
+
+    def test_multiple_clients_persistence(self, azure_provider, temp_storage_dir):
+        """Test persistence with multiple clients."""
+        # Create multiple test clients
+        clients = {}
+        for i in range(3):
+            client_id = f"client-{i}"
+            client = OAuthClientInformationFull(
+                client_id=f"oauth-client-{i}",
+                client_name=f"Test Client {i}",
+                redirect_uris=[AnyUrl(f"http://localhost:300{i}/callback")],
+                scope="User.Read",
+            )
+            clients[client_id] = client
+            azure_provider._clients[client_id] = client
+
+        # Save and reload
+        azure_provider._save_clients()
+        azure_provider._clients.clear()
+        azure_provider._load_clients()
+
+        # Verify all clients were persisted
+        assert len(azure_provider._clients) == 3
+        for client_id, original_client in clients.items():
+            assert client_id in azure_provider._clients
+            loaded_client = azure_provider._clients[client_id]
+            assert loaded_client.client_id == original_client.client_id
+            assert loaded_client.client_name == original_client.client_name
+
+    async def test_error_handling_in_register_client(self, azure_provider, sample_client_data):
+        """Test error handling when save fails during client registration."""
+        # Mock _save_clients to raise an error
+        with patch.object(azure_provider, '_save_clients') as mock_save:
+            mock_save.side_effect = OSError("Disk full")
+            
+            with patch.object(azure_provider.__class__.__bases__[0], 'register_client') as mock_register:
+                mock_register.return_value = None
+                
+                # Should not raise despite save error
+                await azure_provider.register_client(sample_client_data)
+
+    def test_unicode_handling(self, azure_provider, temp_storage_dir):
+        """Test proper handling of Unicode characters in client data."""
+        # Create client with Unicode characters
+        unicode_client = OAuthClientInformationFull(
+            client_id="unicode-test",
+            client_name="Test Client with Unicode: 测试客户端 🔒",
+            redirect_uris=[AnyUrl("http://localhost:8080/callback")],
+            scope="User.Read",
+        )
+
+        client_id = "unicode-client"
+        azure_provider._clients[client_id] = unicode_client
+
+        # Save and reload
+        azure_provider._save_clients()
+        azure_provider._clients.clear()
+        azure_provider._load_clients()
+
+        # Verify Unicode characters were preserved
+        loaded_client = azure_provider._clients[client_id]
+        assert loaded_client.client_name == "Test Client with Unicode: 测试客户端 🔒"
+
+
+if __name__ == "__main__":
+    pytest.main([__file__])
+
+
+if __name__ == "__main__":
+    pytest.main([__file__])