Skip to content

fix: strip trailing slash from resource URL in get_resource_url()#2580

Open
siddhirajkatkar wants to merge 1 commit into
modelcontextprotocol:mainfrom
siddhirajkatkar:fix/oauth-resource-trailing-slash
Open

fix: strip trailing slash from resource URL in get_resource_url()#2580
siddhirajkatkar wants to merge 1 commit into
modelcontextprotocol:mainfrom
siddhirajkatkar:fix/oauth-resource-trailing-slash

Conversation

@siddhirajkatkar
Copy link
Copy Markdown

@siddhirajkatkar siddhirajkatkar commented May 12, 2026

Fixes #2578

Problem

Pydantic v2 AnyHttpUrl adds a trailing slash to bare-domain URLs
when str() is called:

>>> str(AnyHttpUrl("https://mcp-server.example.com"))
'https://mcp-server.example.com/'  # trailing slash added

This causes an audience mismatch with Microsoft Entra ID v2.0, which
registers the resource as https://mcp-server.example.com (no slash),
resulting in AADSTS9010010 errors after token refresh.

Fix

Strip the trailing slash in get_resource_url():

prm_resource = str(self.protected_resource_metadata.resource).rstrip("/")

Files Changed

  • src/mcp/client/auth/oauth2.py line 154

@siddhirajkatkar
fix: strip trailing slash from resource URL in get_resource_url()
02da247 
Pydantic v2 AnyHttpUrl adds a trailing slash to bare-domain URLs when
str() is called, causing audience mismatch with Entra ID v2.0 which
registers the resource without a trailing slash.

Fixes modelcontextprotocol#2578
@siddhirajkatkar siddhirajkatkar force-pushed the fix/oauth-resource-trailing-slash branch from 795bcb8 to 02da247 Compare May 12, 2026 16:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuth token refresh sends RFC 8707 resource parameter that Entra ID v2.0 rejects (AADSTS9010010)

1 participant

@siddhirajkatkar