IdentityAssertionGrantProvider.GetAccessTokenAsync (added in #1305) passes authorizationServerUrl.ToString() directly as the audience (and resourceUrl.ToString() as the resource) for the RFC 8693 token exchange at the IdP.
The Python SDK (PR #1721) normalizes the audience to the discovered OAuth issuer (override_audience_with_issuer) rather than the caller-supplied URL. Without that normalization, a trailing slash or path difference between the configured authorizationServerUrl and the issuer advertised in the authorization server metadata can produce an audience that the IdP rejects as a mismatch.
Suggested direction
Consider normalizing the audience to the issuer discovered during authorization server metadata discovery (which GetAccessTokenAsync already fetches as mcpAuthMetadata) per RFC 8693, instead of using the raw configured URL.
Low priority — no reported failures yet, surfacing it so it isn't lost.
Related: #1305
IdentityAssertionGrantProvider.GetAccessTokenAsync(added in #1305) passesauthorizationServerUrl.ToString()directly as theaudience(andresourceUrl.ToString()as theresource) for the RFC 8693 token exchange at the IdP.The Python SDK (PR #1721) normalizes the audience to the discovered OAuth issuer (
override_audience_with_issuer) rather than the caller-supplied URL. Without that normalization, a trailing slash or path difference between the configuredauthorizationServerUrland the issuer advertised in the authorization server metadata can produce an audience that the IdP rejects as a mismatch.Suggested direction
Consider normalizing the audience to the issuer discovered during authorization server metadata discovery (which
GetAccessTokenAsyncalready fetches asmcpAuthMetadata) per RFC 8693, instead of using the raw configured URL.Low priority — no reported failures yet, surfacing it so it isn't lost.
Related: #1305