RFC 8707 resource parameter breaks Microsoft Entra ID v2.0 OAuth

[roller100]

Summary

Context Forge's recent addition of RFC 8707 resource parameter support (PR IBM#2151, commit 9a51348) breaks OAuth compatibility with Microsoft Entra ID v2.0 endpoints. Microsoft explicitly does not support the resource parameter on v2.0 endpoints and returns error AADSTS901002.

Environment

• Context Forge Version: v1.0.0-BETA-1
• Affected Commit: 9a51348 (2026-01-17)
• OAuth Provider: Microsoft Entra ID v2.0
• Error: AADSTS901002 - "The provided value for the input parameter 'resource' is not valid."

Problem Details

Root Cause

File: mcpgateway/routers/oauth_router.py line 136

The code unconditionally adds a resource parameter to all OAuth configurations:

oauth_config["resource"] = _normalize_resource_url(gateway.url)

This breaks Microsoft Entra ID v2.0 OAuth flows because:

1. Microsoft v2.0 endpoints use scope parameter (not resource)
2. RFC 8707 resource parameter is explicitly not supported by Microsoft v2.0
3. Including resource causes immediate token request rejection

Reproduction

1. Configure Context Forge gateway with Microsoft Entra ID OAuth:
   • Authorization URL: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
   • Token URL: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
2. Click "Authorize" in Context Forge admin UI
3. Complete Microsoft consent/sign-in
4. Observe token exchange failure with AADSTS901002

Expected Behavior

Context Forge should:

1. Detect Microsoft Entra ID v2.0 endpoints (by URL pattern)
2. Skip adding resource parameter for Microsoft v2.0
3. Use only the scope parameter for Microsoft v2.0 flows

Proposed Fix

Add Microsoft v2.0 detection in oauth_router.py:

# Detect Microsoft Entra ID v2.0
is_microsoft_v2 = (
    ("login.microsoftonline.com" in authorization_url or 
     "login.microsoftonline.com" in token_url) and 
    ("/v2.0/" in authorization_url or "/v2.0/" in token_url)
)

if is_microsoft_v2:
    logger.info(f"Skipping resource parameter for Microsoft Entra ID v2.0 endpoint")
elif oauth_config.get("resource"):
    oauth_config["resource"] = _normalize_resource_url(oauth_config["resource"])
else:
    oauth_config["resource"] = _normalize_resource_url(gateway.url)

RFC 8707 Compatibility Note

RFC 8707 is not universally supported across OAuth providers:

• ✅ Some providers support it (Google, certain enterprise IdPs)
• ❌ Microsoft Entra ID v2.0 explicitly does not support it
• ❌ Many OAuth providers use only scope parameter

The resource parameter should be opt-in or provider-specific, not unconditionally added to all OAuth flows.

Related

• Upstream PR: feat: Add RFC 8707 resource parameter support for JWT access tokens IBM/mcp-context-forge#2151
• Microsoft v2.0 OAuth docs: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow
• RFC 8707: https://www.rfc-editor.org/rfc/rfc8707.html

---

Note: This issue affects all Microsoft Entra ID v2.0 integrations, which represents a significant portion of enterprise OAuth use cases.