Skip to content

Fix Azure AD v2.0 compatibility by filtering unsupported 'resource' parameter #1864

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 5 commits into from
Closed

Fix Azure AD v2.0 compatibility by filtering unsupported 'resource' parameter #1864

wants to merge 5 commits into from

Conversation

@nbaju1
Copy link
Contributor

@nbaju1 nbaju1 commented Sep 19, 2025
edited
Loading

Description

Problem

The Azure provider fails when MCP clients send the resource parameter (from RFC 8707 - OAuth 2.0 Resource Indicators) because Azure AD v2.0 endpoints don't support this parameter. Users get the error:

The "resource" request parameter is not supported

Root Cause

The OAuthProxy base class forwards all OAuth parameters including resource if present:

# oauth_proxy.py line ~444
if params.resource:
    query_params["resource"] = params.resource

While this is correct per OAuth 2.0 specs, Azure AD v2.0 specifically rejects this parameter. Azure AD v2.0 uses scopes (like api://app-id/.default) to determine the resource/audience instead.

Solution

Override the authorize method in AzureProvider to filter out the resource parameter before forwarding to Azure AD v2.0. This maintains compatibility with both:

  • MCP clients that send the resource parameter (following RFC 8707)
  • Azure AD v2.0 which doesn't support it

Changes

  • Added authorize method override in AzureProvider class
  • Added imports for AuthorizationParams and OAuthClientInformationFull
  • Added debug logging when filtering out the resource parameter

Backwards Compatibility

This change is fully backwards compatible. Existing Azure provider users will see no change in behavior unless they were experiencing the "resource parameter not supported" error.

AI generated code and PR description with Claude Opus 4.1

Contributors Checklist

Review Checklist

  • I have self-reviewed my changes
  • My Pull Request is ready for review

@marvin-context-protocol marvin-context-protocol bot added bug Something isn't working. Reports of errors, unexpected behavior, or broken functionality. auth Related to authentication (Bearer, JWT, OAuth, WorkOS) for client or server. labels Sep 19, 2025
@nbaju1 nbaju1 marked this pull request as draft September 19, 2025 07:48
@nbaju1
Copy link
Contributor Author

nbaju1 commented Sep 19, 2025

Failed test seems unrelated.

@nbaju1 nbaju1 marked this pull request as ready for review September 19, 2025 08:13
jlowin
jlowin requested changes Sep 19, 2025
View reviewed changes
Copy link
Owner

@jlowin jlowin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for raising @nbaju1 and your approach makes sense -- my only hesitation is mutating the params object could have other consequences that would be difficult to diagnose. Would it be possible to instead create a shallow copy of params with resource=None (model_copy() might do it easily) and pass that to the super method instead?

@nbaju1 nbaju1 requested a review from jlowin September 22, 2025 06:59
@nbaju1
Copy link
Contributor Author

nbaju1 commented Sep 22, 2025
edited
Loading

I added this fix to #1891. Can either close this PR, or fix the eventual merge conflict in that PR if this gets merged.

@jlowin
Copy link
Owner

jlowin commented Sep 23, 2025

Ok, let's focus on #1891 and close this PR. thank you!

@jlowin jlowin closed this Sep 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jlowin jlowin Awaiting requested review from jlowin

Assignees

No one assigned

Labels

auth Related to authentication (Bearer, JWT, OAuth, WorkOS) for client or server. bug Something isn't working. Reports of errors, unexpected behavior, or broken functionality.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Microsoft Entra OAuth Error: The 'resource' request parameter is not supported.

2 participants

@nbaju1 @jlowin