Skip to content

fix(auth): forward user-agent to oauth flow requests#2077

Open
mrutunjay-kinagi wants to merge 4 commits intomodelcontextprotocol:mainfrom
mrutunjay-kinagi:fix-1664-forward-user-agent-auth-flow
Open

fix(auth): forward user-agent to oauth flow requests#2077
mrutunjay-kinagi wants to merge 4 commits intomodelcontextprotocol:mainfrom
mrutunjay-kinagi:fix-1664-forward-user-agent-auth-flow

Conversation

@mrutunjay-kinagi
Copy link

@mrutunjay-kinagi mrutunjay-kinagi commented Feb 17, 2026

Summary

  • forward caller User-Agent from the original MCP request into OAuth flow sub-requests
  • apply forwarding to PRM discovery, auth server metadata discovery, dynamic client registration, and token exchange/refresh requests
  • add regression coverage ensuring forwarded User-Agent is preserved throughout the 401 -> OAuth handshake path

Why

Fixes missing User-Agent propagation in Streamable HTTP auth flow requests, which can break environments that enforce WAF rules requiring User-Agent headers.

Closes #1664

Validation

  • pytest -q tests/client/test_auth.py -k "forwards_user_agent or auth_flow_with_no_tokens"
  • ruff check src/mcp/client/auth/oauth2.py tests/client/test_auth.py
  • ruff format --check src/mcp/client/auth/oauth2.py tests/client/test_auth.py

@mrutunjay-kinagi
Copy link
Author

mrutunjay-kinagi commented Feb 17, 2026

Thanks for sharing this run.

I pushed a follow-up commit (40f173f) to address the failure pattern shown there:

  • removed a stale # pragma: no cover on tests/client/test_auth.py:48 that is now exercised by the new auth-flow test.

That was what caused Linux matrix failures in that run under strict-no-cover.

@mrutunjay-kinagi
Copy link
Author

mrutunjay-kinagi commented Feb 18, 2026
edited
Loading

Follow-up commit 40f173f addressed the previous Linux strict-no-cover failure, and all checks are now green.

@Kludex Ready for review Thanks!

@mrutunjay-kinagi
Copy link
Author

mrutunjay-kinagi commented Feb 21, 2026

Follow-up on CI run https://github.com/modelcontextprotocol/python-sdk/actions/runs/22261553587 (job 64400559254):\n\n- Only checks / test (3.13, locked, windows-latest) failed.\n- Failure appears unrelated/flaky (not in auth-flow code path):\n - tests/client/test_stdio.py::TestChildProcessCleanup::test_early_parent_exit (AssertionError: Child should be writing)\n - tests/client/transports/test_memory.py::test_raise_exceptions\n- Workflow conclusion is success and all-green passed, but this stale failed check remains visible.\n\nI don't have permission to rerun upstream Actions jobs from CLI. If needed, a maintainer rerun of the failed job should clear this.

@maxisbey maxisbey added bug Something isn't working auth Issues and PRs related to Authentication / OAuth P2 Moderate issues affecting some users, edge cases, potentially valuable feature labels Mar 5, 2026
@mrutunjay-kinagi
Copy link
Author

mrutunjay-kinagi commented Mar 24, 2026
edited
Loading

@maxisbey : Please take a look at the PR let me know of what do you think ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auth Issues and PRs related to Authentication / OAuth bug Something isn't working P2 Moderate issues affecting some users, edge cases, potentially valuable feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

User-Agent header in sHTTP transport is not forwarded to auth flow

2 participants

@mrutunjay-kinagi @maxisbey