Skip to content

fix: preserve query params in OAuth authorization endpoint#2781

Closed
he-yufeng wants to merge 1 commit into
modelcontextprotocol:mainfrom
he-yufeng:fix/oauth-auth-endpoint-query
Closed

fix: preserve query params in OAuth authorization endpoint#2781
he-yufeng wants to merge 1 commit into
modelcontextprotocol:mainfrom
he-yufeng:fix/oauth-auth-endpoint-query

Conversation

@he-yufeng
Copy link
Copy Markdown

@he-yufeng he-yufeng commented Jun 4, 2026

Summary

Fixes #2776.

Some OAuth authorization server metadata includes an authorization_endpoint that already has query parameters. The client was building the redirect URL with a raw ?{urlencode(...)} append, which turns endpoints like:

https://test.salesforce.com/services/oauth2/authorize?prompt=select_account

into a malformed URL with a second question mark before the OAuth request parameters.

This uses httpx.URL.copy_merge_params() to add the OAuth request parameters through the URL parser instead of string concatenation, preserving existing endpoint query parameters.

Verification

uv run --no-sync pytest tests\client\test_auth.py::TestAuthFlow::test_authorization_endpoint_preserves_existing_query_params -q --basetemp .tmp\pytest-2776-one -p no:cacheprovider
uv run --no-sync pytest tests\client\test_auth.py -q --basetemp .tmp\pytest-2776-auth -p no:cacheprovider
uv run --no-sync ruff check --no-cache src\mcp\client\auth\oauth2.py tests\client\test_auth.py
uv run --no-sync ruff format --check --no-cache src\mcp\client\auth\oauth2.py tests\client\test_auth.py
uv run --no-sync pyright src\mcp\client\auth\oauth2.py tests\client\test_auth.py
git diff --check

@he-yufeng he-yufeng force-pushed the fix/oauth-auth-endpoint-query branch from e617b1f to c2c25d9 Compare June 4, 2026 07:50
@he-yufeng
Copy link
Copy Markdown
Author

he-yufeng commented Jun 4, 2026

Follow-up for the lowest-direct CI failure:

  • The failure was an existing test assertion that expected spaces in the scope query parameter to be encoded as +.
  • httpx.URL.copy_merge_params() can encode spaces as %20 with the lowest direct dependency set, which is still valid URL encoding.
  • I changed that assertion to parse the URL query and compare the decoded scope value instead.

Re-verified:

uv run --no-sync pytest tests\client\test_auth.py::TestAuthFlow::test_authorization_endpoint_preserves_existing_query_params tests\client\test_auth.py::TestAuthFlow::test_403_insufficient_scope_updates_scope_from_header -q --basetemp .tmp\pytest-2781-two -p no:cacheprovider
uv run --no-sync pytest tests\client\test_auth.py -q --basetemp .tmp\pytest-2781-auth2 -p no:cacheprovider
uv run --no-sync ruff check --no-cache src\mcp\client\auth\oauth2.py tests\client\test_auth.py
uv run --no-sync ruff format --check --no-cache src\mcp\client\auth\oauth2.py tests\client\test_auth.py
uv run --no-sync pyright src\mcp\client\auth\oauth2.py tests\client\test_auth.py
git diff --check

@he-yufeng
Copy link
Copy Markdown
Author

he-yufeng commented Jun 4, 2026

Closing this in favor of #2779, which already covers the same #2776 OAuth authorization endpoint query handling with a broader test matrix. I missed that duplicate before opening this PR.

@he-yufeng he-yufeng closed this Jun 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuth handler doesn't support redirect URLs with params

1 participant

@he-yufeng