-
Notifications
You must be signed in to change notification settings - Fork 2.5k
[mcp-adapters] MultiServerMCPClient should enhance MCPClientError to expose WWW-Authenticate header when receiving a 401 error #8196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Thanks for the excellent write-up, @embesozzi! I'll try to get to this within the week, unless someone beats me to it with a PR first. |
Migrating issues over to |
BREAKING_CHANGE: Drops the `useNodeEventSource` flag and stops passing an empty eventSourceInit object to Streamable HTTP and SSE transport constructors. If there continues to be header passing issues as a result of the way `SSEClientTransport` and `StreamableHTTPClientTransport` handle EventSource initialization, the correct fix will be to PR a change to the MCP SDK that changes how headers are populated on EventSource initialization. fixes #8196 fixes #8194
@embesozzi unfortunately the TypeScript MCP SDK does not expose HTTP response headers when it throws errors related to HTTP response codes. It instead allows for OAuth authentication via a different mechanism, the See changes in #8239 for more info. |
@benjamincburns OK, I'll explore those approaches. In parallel, I created a new discussion in the MCP repo to highlight that, since we're talking about OAuth 2.0, this will likely be a common requirement to support as a feature. |
Uh oh!
There was an error while loading. Please reload this page.
Feature Description
The MCP Server is protected by OAuth 2.0 [1] and typically acts as an OAuth 2.0 resource server. According to the OAuth 2.0 standard, when the resource server returns an error, it should include a WWW-Authenticate header [2].
[1] https://modelcontextprotocol.io/specification/2025-03-26
[2] https://www.rfc-editor.org/rfc/rfc6750.html
Use Case
When the MCP Server fails, it currently returns a MCPClientError just with generic 401 error without exposing the WWW-Authenticate header. This makes it difficult for clients to understand the reason for the failure and to react accordingly -such as initiating step-up authentication or requesting additional scopes. The server should expose the header so that the MCP client can properly handle the error in compliance with the OAuth 2.0 specification.
Proposed Solution
Add to error the WWW-Authenticate header.
The text was updated successfully, but these errors were encountered: