Skip to content

Commit e0c2b35

Browse files
2underscores2underscores
committed
Working with Azure as auth server for MCP
1 parent a1608a6 commit e0c2b35

File tree

1 file changed

+30
-3
lines changed

1 file changed

+30
-3
lines changed

src/client/auth.ts

Lines changed: 30 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -605,6 +605,17 @@ async function discoverMetadataWithFallback(
605605
return response;
606606
}
607607

608+
/**
609+
* Identify common providers from metadata
610+
* Used for providers that have quirks needing conditional handling
611+
* e.g. Azure no PKCE advertised, scope param instead of resource param.
612+
*/
613+
function identifyProvider(metadata: AuthorizationServerMetadata): "azure_v2" | undefined {
614+
if (metadata.issuer.includes("login.microsoftonline.com")) {
615+
return "azure_v2"
616+
}
617+
}
618+
608619
/**
609620
* Looks up RFC 8414 OAuth 2.0 Authorization Server Metadata.
610621
*
@@ -778,6 +789,10 @@ export async function discoverAuthorizationServerMetadata(
778789
return OAuthMetadataSchema.parse(await response.json());
779790
} else {
780791
const metadata = OpenIdProviderDiscoveryMetadataSchema.parse(await response.json());
792+
// Azure Bypass
793+
if (identifyProvider(metadata) === "azure_v2" && !metadata.code_challenge_methods_supported) {
794+
metadata.code_challenge_methods_supported = ["S256"];
795+
}
781796

782797
// MCP spec requires OIDC providers to support S256 PKCE
783798
if (!metadata.code_challenge_methods_supported?.includes('S256')) {
@@ -869,7 +884,11 @@ export async function startAuthorization(
869884
}
870885

871886
if (resource) {
872-
authorizationUrl.searchParams.set("resource", resource.href);
887+
if (metadata && identifyProvider(metadata) === "azure_v2") {
888+
authorizationUrl.searchParams.set("scope", `${resource.href}/.default`);
889+
} else {
890+
authorizationUrl.searchParams.set("resource", resource.href);
891+
}
873892
}
874893

875894
return { authorizationUrl, codeVerifier };
@@ -947,7 +966,11 @@ export async function exchangeAuthorization(
947966
}
948967

949968
if (resource) {
950-
params.set("resource", resource.href);
969+
if (metadata && identifyProvider(metadata) === "azure_v2") {
970+
params.set("scope", `${resource.href}/.default`);
971+
} else {
972+
params.set("resource", resource.href);
973+
}
951974
}
952975

953976
const response = await (fetchFn ?? fetch)(tokenUrl, {
@@ -1031,7 +1054,11 @@ export async function refreshAuthorization(
10311054
}
10321055

10331056
if (resource) {
1034-
params.set("resource", resource.href);
1057+
if (metadata && identifyProvider(metadata) === "azure_v2") {
1058+
params.set("scope", `${resource.href}/.default`);
1059+
} else {
1060+
params.set("resource", resource.href);
1061+
}
10351062
}
10361063

10371064
const response = await (fetchFn ?? fetch)(tokenUrl, {

0 commit comments

Comments
 (0)