OAuth Token rejected (401 invalid_token) when using AzureProvider with FastMCP client

[Chocolee-1024]

Description

----------------server logs--------------------
INFO: Uvicorn running on http://0.0.0.0:1024 (Press CTRL+C to quit)
INFO: 10.0.0.250:50324 - "POST /mcp/ HTTP/1.1" 307 Temporary Redirect
INFO: 10.0.0.250:50340 - "POST /mcp HTTP/1.1" 401 Unauthorized
[10/26/25 17:53:37] INFO Auth error returned: invalid_token (status=401) middleware.py:92
INFO: 10.0.0.250:50356 - "GET /.well-known/oauth-protected-resource/mcp HTTP/1.1" 200 OK
INFO: 10.0.0.250:50366 - "GET /.well-known/oauth-authorization-server HTTP/1.1" 200 OK
INFO: 10.0.0.250:50380 - "POST /register HTTP/1.1" 201 Created
INFO: 10.0.0.250:50396 - "GET /authorize?response_type=code&client_id=ea0db73e-7d72-4cf3-9e34-5c352607b29f&redirect_uri=http%3A%2F%2Flocalhost%3A11379%2Fcallback&state=qpxNupDNXyTIkudvg_KCfrXLrhPbT9xFXaxiPHEIOSc&code_challenge=LjWDxcGiF1rk_yPbEDiFi_Ih5QPW9se-cI4AS_sP2mY&code_challenge_method=S256&resource=https%3A%2F%2Fmcp-auth-chocole.nutc-imac.com&scope=api%3A%2F%2F45f8ab5d-b076-44da-b33b-242a00e9ae44%2Fread+api%3A%2F%2F45f8ab5d-b076-44da-b33b-242a00e9ae44%2Fwrite HTTP/1.1" 302 Found
INFO: 10.0.0.250:50410 - "GET /authorize?response_type=code&client_id=ea0db73e-7d72-4cf3-9e34-5c352607b29f&redirect_uri=http%3A%2F%2Flocalhost%3A11379%2Fcallback&state=qpxNupDNXyTIkudvg_KCfrXLrhPbT9xFXaxiPHEIOSc&code_challenge=LjWDxcGiF1rk_yPbEDiFi_Ih5QPW9se-cI4AS_sP2mY&code_challenge_method=S256&resource=https%3A%2F%2Fmcp-auth-chocole.nutc-imac.com&scope=api%3A%2F%2F45f8ab5d-b076-44da-b33b-242a00e9ae44%2Fread+api%3A%2F%2F45f8ab5d-b076-44da-b33b-242a00e9ae44%2Fwrite HTTP/1.1" 302 Found
INFO: 10.0.0.250:50412 - "GET /consent?txn_id=5QZPxw-cxP5IXUoetGL5h7wndkU4y4XxGkpIyGgbOKM&prompt=select_account HTTP/1.1" 200 OK
INFO: 10.0.0.250:50426 - "POST /consent/submit HTTP/1.1" 302 Found
INFO: 10.0.0.250:50438 - "GET /auth/callback?code=1.Ab4APaQsLfo1MkWOBkq23EDbq12r-EV2sNpEszskKgDprkR7Ab2-AA.AgABBAIAAABlMNzVhAPUTrARzfQjWPtKAwDs_wUA9P84Xo2SX5uDKvFpMvmE-KRdCePR8-Fu2kCiTEA2j4bqrldSZhWJWTpFcVzhWA5J7ucUQqpDGtK1wWg4PCZRqz-9fJ5YMT4kdW7o1FJMH5LKMLGdKdgvh6dhzys0FEd0rSA0LWJUrIxm0E3mqNhMBl448Vu_MmDi0ogjhZF_P-XZeSiNd4E9eoTyhqlL8cxF7l0FAP803OgH_l2c2FQaDXdE6nFfeW07KvQxjsNyVRdltTLS3xjk7Ho_YJMZWvSxG9ab7dhYdj0ZuZX8jLnJ4aWLg4UUZD7RPHV5AL5zdIzUypW2wcS-6MVpVXGCR8uH8rVvXJo3a6D9RwQ0VvRkQKzyYTeVMFn16ipkVD6EArNHtvm5DqQdUAMbYQOpV7kAYU7UV8XARRHN25NV3nurc3wMB5OaIhRHm18nmnzCJrtIHIDzD0JEgIA5CxVT3slPdSseidQVjVbvNkd0U3dcAl9nI9JogzBphuQnjDAzF-f4GY9_uUJXb-SUBQ2Aa0OnQet6hVNG7Gymke1uKplHQA2jCNxNpXmo-lRvtYUlJDk0lydjDrnUD8dF9SC2ECdrrtOeFjD3YHOURUWMED66A5BMCojLBk7Hch2kwARwFxEkF73fOPdeN8H0YxRcRaSJADhUm4RIT3X0420QTzXY2PgRQ-V8rxHxw7agIPzTDflPg0BzPoQtTKFPBhoDxopHBiIf_Fv4yuGMiT_4wn4nAgOyvU00e62BIYcSESTDgi-zAyEUmuJWcSSfQmpEKsBRCmc-ELiJAqw5RcRZhOTZZYtgb-bjafCsw-PLuCQWipSRFYSVRhhpbNAwbEGQbI1hZxkMmKDyiP0yxQA6-zJq56rgLaBry_7vbDhMEe-yRYABZuTG3YUyaiD9GZmGJHe3xkII63Z2r1qU3rbrsTAKXG2UJR1qguWyoh4N4dezmLY6Ifmb3gtwiXIYVUOgqhYc-eZPrgtH_bLjvP8TovnERGu7aFjVwxDgIvqhIoyEwnniof0rhDvsJ2uaCt9V84o9UjQyYVbmEeN5ejYT7h3RDE2xDCROd0b1pBiyr-kcQTGo3daUEwXh92j7zr8TEt41Ru4rE_7Vrd8gEja5XVbkMd4wSEwAyf5aZkhsgCTCNnPY922NxUfGLSbTo6l6nEPhDpYqCDWPqJ2lwyYQ0a3LnllOGjBEmb2krtmV0LNJlB5Oh7GC8cIuyVdFUa2BRm9dFhEg-nIU43gy4bRifcMsta13w7X8O0gU_E1eHf2aSIsU3Iomn39iGgitN034bylczXp80UZnQweSUK1D6ZGOBlneTzAwBmMBECPYr41pZh_vRlFVK3-nggI_pIap_H-bE68z5xwtPaY1fi_BGQsO9Vp-UjtxMGqKjysysWJGwHGzaVZemm03ganK&state=5QZPxw-cxP5IXUoetGL5h7wndkU4y4XxGkpIyGgbOKM&session_state=007bc799-b35c-a3d6-195f-bed78c1a8b26 HTTP/1.1" 302 Found
INFO: 10.0.0.250:50452 - "POST /token HTTP/1.1" 200 OK
[10/26/25 17:53:45] INFO Bearer token rejected for client 45f8ab5d-b076-44da-b33b-242a00e9ae44 jwt.py:456
INFO: 10.0.0.250:50466 - "POST /mcp/ HTTP/1.1" 307 Temporary Redirect
INFO: 10.0.0.250:50468 - "POST /mcp HTTP/1.1" 401 Unauthorized
INFO Auth error returned: invalid_token (status=401) middleware.py:92
INFO: 10.0.0.250:60930 - "POST /mcp HTTP/1.1" 401 Unauthorized
[10/26/25 17:54:15] INFO Auth error returned: invalid_token (status=401) middleware.py:92
INFO: 10.0.0.250:60942 - "GET /.well-known/oauth-authorization-server HTTP/1.1" 200 OK
INFO: 10.0.0.250:60946 - "POST /register HTTP/1.1" 201 Created
----------------client logs--------------------

[10/26/25 17:53:38] INFO OAuth authorization URL: oauth.py:244
https://mcp-auth-chocole.nutc-imac.com/authorize?response_type=code&client_id=ea0db73e-7d72-4cf3-9e34-5c352607b29f&redirect_uri=http%3A%2F
%2Flocalhost%3A11379%2Fcallback&state=qpxNupDNXyTIkudvg_KCfrXLrhPbT9xFXaxiPHEIOSc&code_challenge=LjWDxcGiF1rk_yPbEDiFi_Ih5QPW9se-cI4AS_sP2
mY&code_challenge_method=S256&resource=https%3A%2F%2Fmcp-auth-chocole.nutc-imac.com&scope=api%3A%2F%2F45f8ab5d-b076-44da-b33b-242a00e9ae44
%2Fread+api%3A%2F%2F45f8ab5d-b076-44da-b33b-242a00e9ae44%2Fwrite
INFO 🎧 OAuth callback server started on http://localhost:11379 oauth.py:264
Traceback (most recent call last):
File "C:\PycharmProjects\mcp-auth-flow\mcp_client.py", line 18, in
asyncio.run(main())
File "C:\Users\ASUS\AppData\Local\Programs\Python\Python312\Lib\asyncio\runners.py", line 194, in run
return runner.run(main)
^^^^^^^^^^^^^^^^
File "C:\Users\ASUS\AppData\Local\Programs\Python\Python312\Lib\asyncio\runners.py", line 118, in run
return self._loop.run_until_complete(task)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\ASUS\AppData\Local\Programs\Python\Python312\Lib\asyncio\base_events.py", line 687, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "C:\PycharmProjects\mcp-auth-flow\mcp_client.py", line 7, in main
async with Client("https://mcp-auth-chocole.nutc-imac.com/mcp/", auth="oauth") as client:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\PycharmProjects\mcp-auth-flow.venv\Lib\site-packages\fastmcp\client\client.py", line 374, in aenter
return await self._connect()
^^^^^^^^^^^^^^^^^^^^^
File "C:\PycharmProjects\mcp-auth-flow.venv\Lib\site-packages\fastmcp\client\client.py", line 418, in _connect
raise exception
File "C:\PycharmProjects\mcp-auth-flow.venv\Lib\site-packages\fastmcp\client\client.py", line 481, in _session_runner
await stack.enter_async_context(self._context_manager())
File "C:\Users\ASUS\AppData\Local\Programs\Python\Python312\Lib\contextlib.py", line 659, in enter_async_context
result = await _enter(cm)
^^^^^^^^^^^^^^^^
File "C:\Users\ASUS\AppData\Local\Programs\Python\Python312\Lib\contextlib.py", line 210, in aenter
return await anext(self.gen)
^^^^^^^^^^^^^^^^^^^^^
File "C:\PycharmProjects\mcp-auth-flow.venv\Lib\site-packages\fastmcp\client\client.py", line 353, in _context_manager
with catch(get_catch_handlers()):
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\PycharmProjects\mcp-auth-flow.venv\Lib\site-packages\exceptiongroup_catch.py", line 39, in exit
raise unhandled from exc.cause
File "C:\PycharmProjects\mcp-auth-flow.venv\Lib\site-packages\exceptiongroup_catch.py", line 65, in handle_exception
result = handler(matched)
^^^^^^^^^^^^^^^^
File "C:\PycharmProjects\mcp-auth-flow.venv\Lib\site-packages\fastmcp\utilities\exceptions.py", line 29, in _exception_handler
raise leaf
File "C:\PycharmProjects\mcp-auth-flow.venv\Lib\site-packages\mcp\client\streamable_http.py", line 409, in handle_request_async
await self._handle_post_request(ctx)
File "C:\PycharmProjects\mcp-auth-flow.venv\Lib\site-packages\mcp\client\streamable_http.py", line 278, in _handle_post_request
response.raise_for_status()
File "C:\PycharmProjects\mcp-auth-flow.venv\Lib\site-packages\httpx_models.py", line 829, in raise_for_status
raise HTTPStatusError(message, request=request, response=self)
httpx.HTTPStatusError: Client error '401 Unauthorized' for url 'http://mcp-auth-chocole.nutc-imac.com/mcp'
For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401

Example Code

-------------------server-----------------------
from fastmcp import FastMCP
from fastmcp.contrib.mcp_mixin import mcp_tool
from fastmcp.server.dependencies import get_access_token
from fastmcp.server.auth.providers.azure import AzureProvider


auth_provider = AzureProvider(
    client_id="{client_id}",
    client_secret="{client_secret}",
    tenant_id="{tenant_id}",
    base_url="{base_url}",
    required_scopes=["read",
                     "write"],
    redirect_path="/auth/callback",
    

)

mcp = FastMCP(name="Azure Secured App", auth=auth_provider)

# 這個工具只有登入 Azure 才能呼叫
@mcp_tool
async def get_user_info() -> dict:
    token = get_access_token()
    return {
        "azure_id": token.claims.get("sub"),
        "email": token.claims.get("email"),
        "name": token.claims.get("name")
    }

if __name__ == "__main__":
    mcp.run(
        transport="http",
        host="0.0.0.0",
        port=1024
    )



-----------------client------------------------

from fastmcp import Client
import asyncio


async def main():
    # The client will automatically handle Azure OAuth
    async with Client("https://{domain-name}/mcp/", auth="oauth") as client:
        # First-time connection will open Azure login in your browser
        print("✓ Authenticated with Azure!")

        # Test the protected tool
        result = await client.call_tool("get_user_info")
        print(f"Azure user: {result['email']}")
        print(f"Name: {result['name']}")


if __name__ == "__main__":
    asyncio.run(main())

Version Information

fastmcp 2.13.0

[marvin-context-protocol]

Found 2 possible duplicate issues:

1. 2.13.0 RC2: EntraID auth tokens are failing verification - no RS256 algorithm found in JsonWebSignature used #2197: 2.13.0 RC2: EntraID auth tokens are failing verification - no RS256 algorithm found in JsonWebSignature used
2. FastMCP Azure Provider Auth Failed for Github Copilot in VS Code #1993: FastMCP Azure Provider Auth Failed for Github Copilot in VS Code

This issue will be automatically closed as a duplicate in 3 days.

• If your issue is a duplicate, please close it and 👍 the existing issue instead
• To prevent auto-closure, add a comment or 👎 this comment

[jlowin]

Thanks for reporting - I can replicate

[jlowin]

I think this is a different incarnation of #2151 and a complication from #2243, will have a fix shortly and release it

[Chocolee-1024]

Thank you for the quick fix and for addressing this issue so efficiently.
I really appreciate your support, the clear explanation, and the fast turnaround.
Thanks again for your hard work and dedication!