OAuth authentication request fails with MS Entra-ID #648
Description
Hi, I just checked out the 0.3.0-preview.3 release and I modified the ProtectedMCPServer and ProtectedMCPClient samples to use MS Entra-ID as OAUTH server (see code snippets below):
The URL that is created by the mcp server for starting the OAUTH flow looks like this:
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=xxxxx&redirect_uri=http%3a%2f%2flocalhost%3a1179%2fcallback&response_type=code&code_challenge=q09KNTJ_gyVsLnvjSSX46MYl_DcPTuNhosF6U5n9KOs&code_challenge_method=S256&resource=http%3a%2f%2flocalhost%3a7077%2f&scope=api%3a%2f%xxxx-xxxxx-xxxxx%2fmcp.tools
This url contains a resource and a scope parameter.
But MS Entra-ID complains about the resource parameter, as in OAuth 2.0 it should be the scope parameter used:
AADSTS901002: The 'resource' request parameter is not supported.
What is your idea or hint to solve this problem?
My changes:
Client: I added the ClientId which I configured in Azure portal
var transport = new SseClientTransport(new()
{
Endpoint = new Uri(serverUrl),
Name = "Secure Weather Client",
OAuth = new()
{
ClientName = "ProtectedMcpClient",
ClientId = "xxxx-xxxxx-xxxx-xxxx",
RedirectUri = new Uri("http://localhost:1179/callback"),
AuthorizationRedirectDelegate = HandleAuthorizationUrlAsync,
}
}, httpClient, consoleLoggerFactory);
Server:
changed the OAuth server url:
var inMemoryOAuthServerUrl = "https://login.microsoftonline.com/<tenant-id>/v2.0";
changed ScopesSupported analog to the Azure Portal definition:
ScopesSupported = ["api://7e7eaf63-375a-4a0d-9872-574fdb5e08d6/mcp.tools"],
Thanks
Markus