Skip to content

Fix Azure scope validation #2269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jlowin merged 3 commits into from
Oct 26, 2025
Merged

Fix Azure scope validation #2269

jlowin merged 3 commits into from
Oct 26, 2025

Conversation

@jlowin
Copy link
Owner

@jlowin jlowin commented Oct 26, 2025

Azure returns unprefixed scopes in JWT tokens (e.g., 'scp': 'read') but requires prefixed scopes in authorization requests (e.g., 'scope': 'api://xxx/read'). The previous implementation validated tokens against prefixed scopes, causing MCP clients to reject tokens with "invalid_token" errors.

Simplified AzureProvider to use standard JWTVerifier with unprefixed scopes. Scopes are only prefixed when building Azure's authorization URL via the _build_upstream_authorize_url() override.

Closes #2263

jlowin added 3 commits October 26, 2025 10:55
@jlowin
Update docs for required scopes
46c8836
@jlowin
add scopes
1028c94
@jlowin
Fix Azure scope validation
3a6e41d 
Azure returns unprefixed scopes in JWT tokens but requires prefixed scopes in authorization requests. The previous implementation incorrectly validated tokens against prefixed scopes, causing "invalid_token" errors.

Simplified AzureProvider to use standard JWTVerifier with unprefixed scopes for validation. Scopes are only prefixed when building the Azure authorization URL via _build_upstream_authorize_url() override.

Closes #2263
@marvin-context-protocol marvin-context-protocol bot added bug Something isn't working. Reports of errors, unexpected behavior, or broken functionality. auth Related to authentication (Bearer, JWT, OAuth, WorkOS) for client or server. server Related to FastMCP server implementation or server-side functionality. labels Oct 26, 2025
@jlowin jlowin merged commit ba47db9 into main Oct 26, 2025
13 checks passed
@jlowin jlowin deleted the azure branch October 26, 2025 15:41
@SupriyaNallapeta SupriyaNallapeta mentioned this pull request Oct 27, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auth Related to authentication (Bearer, JWT, OAuth, WorkOS) for client or server. bug Something isn't working. Reports of errors, unexpected behavior, or broken functionality. server Related to FastMCP server implementation or server-side functionality.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuth Token rejected (401 invalid_token) when using AzureProvider with FastMCP client

2 participants

@jlowin