Describe the bug
We are using C# SDK to build our MCP and host in AKS which is oAuth protected. When we add the server in github cli at the beginning, the auth works fine. But while calling refresh_token after ~1 hour (when the access token expires) and the SDK attempts a silent refresh, the call fails with this with AADSTS9010010 (The resource parameter provided in the request doesn't match with the requested scopes).
To Reproduce
Steps to reproduce the behavior:
- Add a http mcp server protected by oAuth (I used internal Microsoft tenant to register an app to protect the MCP endpoint). The metadata looks like below
builder.Services.AddAuthentication(options =>
{
options.DefaultChallengeScheme = McpAuthenticationDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.MapInboundClaims = false;
options.Authority = $"{instance}/{tenantId}/v2.0";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidAudiences = new[] { EntraAppConstants.APIAppClientId, apiAppName },
ValidIssuers = new[]
{
$"{instance}/{tenantId}/v2.0",
$"https://sts.windows.net/{tenantId}/",
$"{instance}/{ameTenantId}/v2.0",
$"https://sts.windows.net/{ameTenantId}/",
},
NameClaimType = "name",
RoleClaimType = "roles",
};
options.MetadataAddress = $"{instance}/{tenantId}/v2.0/.well-known/openid-configuration";
})
.AddMcp(options =>
{
var metadata = new ModelContextProtocol.Authentication.ProtectedResourceMetadata
{
AuthorizationServers = { $"{instance}/{tenantId}/v2.0", $"{instance}/{ameTenantId}/v2.0" },
ScopesSupported = [$"{apiAppName}/my_scope"],
};
options.ResourceMetadata = metadata;
});{
"resource": "https://mcp.******.azure.com/",
"authorization_servers": [
"https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0",
"https://login.microsoftonline.com/**************/v2.0"
],
"bearer_methods_supported": [
"header"
],
"scopes_supported": [
"api://my_app_name/my_scope"
]
}Connect the mcp from cli & get 1st time auth done, do some tool calling activity & leave the cli open for an hour. After an hour come back & try to do another tool call, and the call will fail with auth error.
Additional context
Seems same issue is present here too for python SDK: 2578
Describe the bug
We are using C# SDK to build our MCP and host in AKS which is oAuth protected. When we add the server in github cli at the beginning, the auth works fine. But while calling
refresh_tokenafter ~1 hour (when the access token expires) and the SDK attempts a silent refresh, the call fails with this with AADSTS9010010 (The resource parameter provided in the request doesn't match with the requested scopes).To Reproduce
Steps to reproduce the behavior:
{ "resource": "https://mcp.******.azure.com/", "authorization_servers": [ "https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0", "https://login.microsoftonline.com/**************/v2.0" ], "bearer_methods_supported": [ "header" ], "scopes_supported": [ "api://my_app_name/my_scope" ] }Connect the mcp from cli & get 1st time auth done, do some tool calling activity & leave the cli open for an hour. After an hour come back & try to do another tool call, and the call will fail with auth error.
Additional context
Seems same issue is present here too for python SDK: 2578