Skip to content

[mcp-adapters] MultiServerMCPClient should enhance MCPClientError to expose WWW-Authenticate header when receiving a 401 error #8196

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
embesozzi opened this issue May 13, 2025 · 4 comments · Fixed by #8239
Labels
auto:improvement Medium size change to existing code to handle new use-cases help wanted This would make a good PR

Comments

@embesozzi
Copy link

embesozzi commented May 13, 2025

Feature Description

The MCP Server is protected by OAuth 2.0 [1] and typically acts as an OAuth 2.0 resource server. According to the OAuth 2.0 standard, when the resource server returns an error, it should include a WWW-Authenticate header [2].

[1] https://modelcontextprotocol.io/specification/2025-03-26
[2] https://www.rfc-editor.org/rfc/rfc6750.html

Use Case

When the MCP Server fails, it currently returns a MCPClientError just with generic 401 error without exposing the WWW-Authenticate header. This makes it difficult for clients to understand the reason for the failure and to react accordingly -such as initiating step-up authentication or requesting additional scopes. The server should expose the header so that the MCP client can properly handle the error in compliance with the OAuth 2.0 specification.

Proposed Solution

Add to error the WWW-Authenticate header.

if (error.name === "MCPClientError") {
   // Handle connection issues
   console.error(`Connection error (${error.serverName}):`, error.message , error.headers);
}
@embesozzi embesozzi changed the title MultiServerMCPClient should expose the WWW-Authenticate header when receiving a 401 error. MultiServerMCPClient should enhance MCPClientError to expose WWW-Authenticate header when receiving a 401 error May 13, 2025
@benjamincburns benjamincburns added the help wanted This would make a good PR label May 14, 2025
@benjamincburns
Copy link
Collaborator

Thanks for the excellent write-up, @embesozzi! I'll try to get to this within the week, unless someone beats me to it with a PR first.

@benjamincburns
Copy link
Collaborator

Migrating issues over to langchainjs monorepo, as we've moved this project over there.

@benjamincburns benjamincburns changed the title MultiServerMCPClient should enhance MCPClientError to expose WWW-Authenticate header when receiving a 401 error [mcp-adapters] MultiServerMCPClient should enhance MCPClientError to expose WWW-Authenticate header when receiving a 401 error May 16, 2025
@benjamincburns benjamincburns transferred this issue from langchain-ai/langchainjs-mcp-adapters May 16, 2025
@dosubot dosubot bot added the auto:improvement Medium size change to existing code to handle new use-cases label May 16, 2025
benjamincburns added a commit that referenced this issue May 23, 2025
BREAKING_CHANGE: Drops the `useNodeEventSource` flag and stops passing
an empty eventSourceInit object to Streamable HTTP and SSE transport
constructors. If there continues to be header passing issues as a result
of the way `SSEClientTransport` and `StreamableHTTPClientTransport`
handle EventSource initialization, the correct fix will be to PR a
change to the MCP SDK that changes how headers are populated on
EventSource initialization.

fixes #8196
fixes #8194
@benjamincburns
Copy link
Collaborator

benjamincburns commented May 23, 2025

@embesozzi unfortunately the TypeScript MCP SDK does not expose HTTP response headers when it throws errors related to HTTP response codes. It instead allows for OAuth authentication via a different mechanism, the authProvider option on StreamableHTTPClientTransport and SSEClientTransport.

See changes in #8239 for more info.

@embesozzi
Copy link
Author

@benjamincburns OK, I'll explore those approaches. In parallel, I created a new discussion in the MCP repo to highlight that, since we're talking about OAuth 2.0, this will likely be a common requirement to support as a feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto:improvement Medium size change to existing code to handle new use-cases help wanted This would make a good PR
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants