Skip to content

fix: preserve OAuth authorization endpoint query params#2787

Closed
he-yufeng wants to merge 1 commit into
modelcontextprotocol:mainfrom
he-yufeng:fix/oauth-redirect-existing-query
Closed

fix: preserve OAuth authorization endpoint query params#2787
he-yufeng wants to merge 1 commit into
modelcontextprotocol:mainfrom
he-yufeng:fix/oauth-redirect-existing-query

Conversation

@he-yufeng

@he-yufeng he-yufeng commented Jun 5, 2026
edited
Loading

Copy link
Copy Markdown

Fixes #2776.

Summary

The OAuth authorization URL builder always appended SDK parameters with a literal ?:

f"{auth_endpoint}?{urlencode(auth_params)}"

That breaks authorization servers whose metadata already includes endpoint-level query parameters. Salesforce sandbox auth endpoints are one example:

https://test.salesforce.com/services/oauth2/authorize?prompt=select_account

The generated URL became ...?prompt=select_account?response_type=..., so the OAuth parameters were folded into the existing prompt value instead of being sent as query parameters.

This change parses the endpoint query first, preserves existing parameters, and appends the SDK-generated OAuth parameters with normal form encoding.

Validation

  • PYTHONPATH=src python -m pytest tests/client/test_auth.py -q -k authorization_endpoint_preserves_existing_query
  • PYTHONPATH=src python -m pytest tests/client/test_auth.py -q
  • python -m py_compile src/mcp/client/auth/oauth2.py tests/client/test_auth.py
  • python -m ruff check src/mcp/client/auth/oauth2.py tests/client/test_auth.py
  • git diff --check upstream/main..HEAD

I also tried python -m pyright src/mcp/client/auth/oauth2.py tests/client/test_auth.py, but the local run failed on pre-existing environment/type-resolution issues in tests/client/test_auth.py before isolating this patch.

@he-yufeng he-yufeng force-pushed the fix/oauth-redirect-existing-query branch from 966555b to fd42072 Compare June 5, 2026 17:29
@he-yufeng he-yufeng force-pushed the fix/oauth-redirect-existing-query branch from fd42072 to d606a76 Compare June 7, 2026 10:54
@he-yufeng

he-yufeng commented Jun 7, 2026

Copy link
Copy Markdown
Author

The remaining red job is checks / test (3.12, locked, ubuntu-latest), failing in tests/server/test_session.py::test_other_requests_blocked_before_initialization with anyio.EndOfStream while checking a server-session initialization error path.

This PR only changes the OAuth redirect query handling and its targeted auth tests; the same workflow has the other Python/OS matrix entries passing. I am treating this one as unrelated/flaky unless maintainers see a link I missed.

@he-yufeng

he-yufeng commented Jun 11, 2026

Copy link
Copy Markdown
Author

Closing this older OAuth query-parameter fix in favor of #2829.

#2829 covers the same authorization-endpoint behavior on the same client auth path, keeps the existing endpoint query parameters, adds the targeted regression test, and is currently green across the matrix. Keeping both open would split review over duplicate fixes.

@he-yufeng he-yufeng closed this Jun 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuth handler doesn't support redirect URLs with params

1 participant

@he-yufeng