Skip to content

ClientOAuthProvider does not work with MS Entra #939

New issue
New issue
Open
#940
Open
ClientOAuthProvider does not work with MS Entra#939
#940
Labels
bugSomething isn't working
@eduardomb-aw

Description

@eduardomb-aw
eduardomb-aw
opened on Nov 4, 2025

Describe the bug
The current implementation of ClientOAuthProvider is not compatible with MS Entra directories. Both the RefreshTokenAsync and ExchangeCodeForTokenAsync methods make use of a "resource" parameter that does not work in Entra; Entra uses "scope".

To Reproduce
Steps to reproduce the behavior:

  1. Replace the InMemoryOAuthServer information used in the samples ProtectedMcpServer and ProtectedMcpClient with a real MS Entra directory info (including the proper app registrations, secrets, and permissions), and run the sample. The ClientOAuthProvider will throw and exception:
Image Image

Expected behavior
The implementation should ALSO work with MS Entra.

Logs

Authorization code received successfully from Microsoft Entra ID.
fail: ModelContextProtocol.Client.McpClient[1155727496]
      Client (ProtectedMcpClient 1.0.0.0) client initialization error.
      System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (Bad Request).
         at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
         at ModelContextProtocol.Authentication.ClientOAuthProvider.FetchTokenAsync(HttpRequestMessage request, CancellationToken cancellationToken) in C:\Temp\repos\mcp-csharp-sdk\src\ModelContextProtocol.Core\Authentication\ClientOAuthProvider.cs:line 409
         at ModelContextProtocol.Authentication.ClientOAuthProvider.ExchangeCodeForTokenAsync(ProtectedResourceMetadata protectedResourceMetadata, AuthorizationServerMetadata authServerMetadata, String authorizationCode, String codeVerifier, CancellationToken cancellationToken) in C:\Temp\repos\mcp-csharp-sdk\src\ModelContextProtocol.Core\Authentication\ClientOAuthProvider.cs:line 403
         at ModelContextProtocol.Authentication.ClientOAuthProvider.InitiateAuthorizationCodeFlowAsync(ProtectedResourceMetadata protectedResourceMetadata, AuthorizationServerMetadata authServerMetadata, CancellationToken cancellationToken) in C:\Temp\repos\mcp-csharp-sdk\src\ModelContextProtocol.Core\Authentication\ClientOAuthProvider.cs:line 336
         at ModelContextProtocol.Authentication.ClientOAuthProvider.PerformOAuthAuthorizationAsync(HttpResponseMessage response, CancellationToken cancellationToken) in C:\Temp\repos\mcp-csharp-sdk\src\ModelContextProtocol.Core\Authentication\ClientOAuthProvider.cs:line 233
         at ModelContextProtocol.Authentication.ClientOAuthProvider.HandleUnauthorizedResponseAsync(String scheme, HttpResponseMessage response, CancellationToken cancellationToken) in C:\Temp\repos\mcp-csharp-sdk\src\ModelContextProtocol.Core\Authentication\ClientOAuthProvider.cs:line 183
         at ModelContextProtocol.Authentication.AuthenticatingMcpHttpClient.HandleUnauthorizedResponseAsync(HttpRequestMessage originalRequest, JsonRpcMessage originalJsonRpcMessage, HttpResponseMessage response, CancellationToken cancellationToken) in C:\Temp\repos\mcp-csharp-sdk\src\ModelContextProtocol.Core\Authentication\AuthenticatingMcpHttpClient.cs:line 68
         at ModelContextProtocol.Authentication.AuthenticatingMcpHttpClient.SendAsync(HttpRequestMessage request, JsonRpcMessage message, CancellationToken cancellationToken) in C:\Temp\repos\mcp-csharp-sdk\src\ModelContextProtocol.Core\Authentication\AuthenticatingMcpHttpClient.cs:line 30
         at ModelContextProtocol.Client.StreamableHttpClientSessionTransport.SendHttpRequestAsync(JsonRpcMessage message, CancellationToken cancellationToken) in C:\Temp\repos\mcp-csharp-sdk\src\ModelContextProtocol.Core\Client\StreamableHttpClientSessionTransport.cs:line 76
         at ModelContextProtocol.Client.AutoDetectingClientSessionTransport.InitializeAsync(JsonRpcMessage message, CancellationToken cancellationToken) in C:\Temp\repos\mcp-csharp-sdk\src\ModelContextProtocol.Core\Client\AutoDetectingClientSessionTransport.cs:line 69
         at ModelContextProtocol.Client.AutoDetectingClientSessionTransport.InitializeAsync(JsonRpcMessage message, CancellationToken cancellationToken) in C:\Temp\repos\mcp-csharp-sdk\src\ModelContextProtocol.Core\Client\AutoDetectingClientSessionTransport.cs:line 90
         at ModelContextProtocol.McpSessionHandler.SendRequestAsync(JsonRpcRequest request, CancellationToken cancellationToken) in C:\Temp\repos\mcp-csharp-sdk\src\ModelContextProtocol.Core\McpSessionHandler.cs:line 440
         at ModelContextProtocol.McpSession.SendRequestAsync[TParameters,TResult](String method, TParameters parameters, JsonTypeInfo`1 parametersTypeInfo, JsonTypeInfo`1 resultTypeInfo, RequestId requestId, CancellationToken cancellationToken) in C:\Temp\repos\mcp-csharp-sdk\src\ModelContextProtocol.Core\McpSession.Methods.cs:line 71
         at ModelContextProtocol.Client.McpClientImpl.ConnectAsync(CancellationToken cancellationToken) in C:\Temp\repos\mcp-csharp-sdk\src\ModelContextProtocol.Core\Client\McpClientImpl.cs:line 150
info: ModelContextProtocol.Client.McpClient[2103773711]
      Secure Weather Client message processing canceled.

Additional context
Add any other context about the problem here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions