Skip to content

fix(client): forward User-Agent through OAuth auth flow#2526

Open
Genmin wants to merge 4 commits intomodelcontextprotocol:mainfrom
Genmin:fix/streamable-http-auth-user-agent-1664
Open

fix(client): forward User-Agent through OAuth auth flow#2526
Genmin wants to merge 4 commits intomodelcontextprotocol:mainfrom
Genmin:fix/streamable-http-auth-user-agent-1664

Conversation

@Genmin
Copy link
Copy Markdown

@Genmin Genmin commented May 1, 2026

What

  • Forward the original transport User-Agent header onto OAuth-generated discovery, registration, refresh, and token requests.
  • Add a regression that walks the auth generator through PRM discovery, OASM discovery, dynamic client registration, and token exchange while asserting the custom User-Agent is preserved.

Why

Streamable HTTP callers can configure a custom User-Agent on their HTTP client, but OAuth requests are created inside the auth provider as fresh httpx.Request instances. Those generated requests dropped the caller's user agent, which breaks deployments behind WAF rules that require it.

Fixes #1664

Tests

  • uv run pytest tests/client/test_auth.py -k user_agent -q
  • uv run pytest tests/client/test_auth.py -q
  • uv run ruff check src/mcp/client/auth/oauth2.py tests/client/test_auth.py
  • uv run ruff format --check src/mcp/client/auth/oauth2.py tests/client/test_auth.py
  • git diff --check

@Genmin
Copy link
Copy Markdown
Author

Genmin commented May 1, 2026

Pushed a follow-up for the coverage blocker. The full-flow exception path is now covered directly, so the auth flow still logs OAuth flow error and re-raises while keeping the repo-wide coverage gate strict.

Validation:

  • uv run pytest tests/client/test_auth.py -q -> 98 passed, 1 xfailed
  • uv run ruff check src/mcp/client/auth/oauth2.py tests/client/test_auth.py -> passed
  • uv run ruff format --check src/mcp/client/auth/oauth2.py tests/client/test_auth.py -> passed
  • uv run coverage run -m pytest -n auto -> 1174 passed, 98 skipped, 1 xfailed
  • uv run coverage combine
  • uv run coverage report -> 100.00%
  • uv run strict-no-cover -> passed
  • git diff --check -> passed

@Genmin
Copy link
Copy Markdown
Author

Genmin commented May 1, 2026

Follow-up pushed for the pre-commit/pyright failure: the new caplog fixture is now typed as pytest.LogCaptureFixture.

Validated locally after the update:

  • uv run pyright tests/client/test_auth.py
  • uv run pytest tests/client/test_auth.py::TestAuthFlow::test_auth_flow_logs_and_reraises_oauth_errors -q
  • uv run pytest tests/client/test_auth.py -q
  • uv run ruff check src/mcp/client/auth/oauth2.py tests/client/test_auth.py
  • uv run ruff format --check src/mcp/client/auth/oauth2.py tests/client/test_auth.py
  • git diff --check

One local note: uv run pre-commit run pyright --files tests/client/test_auth.py currently exits before running pyright because the cached pre-commit-hooks manifest has an unsupported stages: [pre-commit] entry for this local pre-commit version. Direct pyright is clean and matches the CI error this commit addresses.

@Genmin Genmin force-pushed the fix/streamable-http-auth-user-agent-1664 branch from 3d641bf to 78eafac Compare May 1, 2026 05:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

User-Agent header in sHTTP transport is not forwarded to auth flow

1 participant

@Genmin