mcp icon indicating copy to clipboard operation
mcp copied to clipboard
verified publisher icon microsoft

[BUG] Remote: OAuth protected resource metadata has wrong protocol in ACA

Open vukelich opened this issue 1 month ago • 0 comments

Describe the bug

The HTTP 401 challenge for unauthenticated requests uses the incoming request protocol for crafting the resource_metadata value in the WWWAuthenticate as in https://github.com/microsoft/mcp/blob/493f8def1f37be543686ee9763be0774306d11c6/core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs#L412

The protocol for the URL is fine when the MCP server is being directly connected by the client, such as local development or App Service. ACA container apps would see the http protocol because that's the default behavior for the ACA environment's reverse proxy.

Expected behavior

resource_metadata value in the WWWAuthenticate should match the original client request, including both protocol and host name.

Actual behavior

On ACA apps, resource_metadata value in the WWWAuthenticate matches the correct host name but the protocol is http. This results in clients like VS Code calling a URL that fails.

Reproduction Steps

asdf

Environment

No response

vukelich avatar Nov 19 '25 03:11 vukelich