Skip to content

Improve OAuth error messages with custom handlers and middleware #2221

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jlowin merged 7 commits into from
Oct 23, 2025
Merged

Improve OAuth error messages with custom handlers and middleware #2221

jlowin merged 7 commits into from
Oct 23, 2025

Conversation

@jlowin
Copy link
Owner

@jlowin jlowin commented Oct 23, 2025
edited
Loading

OAuth error messages are now clearer and more actionable by introducing custom authorization handlers and authentication middleware that wrap the MCP SDK defaults.

When clients encounter authentication errors (unregistered client ID, invalid tokens), they now receive:

Browser users: Styled HTML error pages with step-by-step recovery instructions

image

API clients: JSON responses with helpful context and registration endpoint hints

Example JSON error:

{
  "error": "invalid_request",
  "error_description": "Client ID 'xxx' is not registered with this server. MCP clients should automatically re-register...",
  "registration_endpoint": "https://server.com/register"
}

The implementations use content negotiation to serve appropriate formats and maintain full OAuth 2.1 compliance.

jlowin added 5 commits October 21, 2025 21:32
@jlowin
Enhance OAuth Proxy error responses with branded HTML pages
cb4ea79 
OAuth Proxy authentication errors now show styled HTML error pages in browsers
instead of raw JSON, with content negotiation for API clients. Enhanced error
messages explain common causes (ephemeral storage, server restarts) and provide
clear remediation steps.

Changes:
- Created enhanced authorization handler that extends SDK's AuthorizationHandler
- Created enhanced auth middleware that extends SDK's RequireAuthMiddleware
- HTML error pages use server branding (icon, name) from FastMCP instance
- Added comprehensive troubleshooting section to OAuth Proxy docs
- Added FAQ entry linking to detailed troubleshooting
@jlowin
Add comprehensive tests for enhanced OAuth error responses
ef970ed 
Tests cover:
- HTML error pages for browser requests with server branding
- Enhanced JSON responses with registration endpoint hints
- Content negotiation between HTML and JSON
- Enhanced middleware error messages for invalid_token
- WWW-Authenticate header format consistency with SDK
@jlowin
Merge branch 'main' into enhance-oauth-error-responses
fad5cad
@jlowin
Update language for new storage defaults
5176772
@jlowin
update docs
3fe674a
@marvin-context-protocol marvin-context-protocol bot added enhancement Improvement to existing functionality. For issues and smaller PR improvements. auth Related to authentication (Bearer, JWT, OAuth, WorkOS) for client or server. labels Oct 23, 2025
@jlowin jlowin merged commit 562e51b into main Oct 23, 2025
8 checks passed
@jlowin jlowin deleted the enhance-oauth-error-responses branch October 23, 2025 01:29
@jlowin jlowin added this to the 2.13.0 milestone Oct 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auth Related to authentication (Bearer, JWT, OAuth, WorkOS) for client or server. enhancement Improvement to existing functionality. For issues and smaller PR improvements.

Projects

None yet

Milestone

2.13.0

Development

Successfully merging this pull request may close these issues.

2 participants

@jlowin