Fix redirect_uri handling

praboud-ant · praboud-ant · commit 482149e094ff · 2025-03-25T09:15:51.000-07:00
diff --git a/src/mcp/server/auth/handlers/authorize.py b/src/mcp/server/auth/handlers/authorize.py
@@ -197,6 +197,7 @@ async def error_response(
                 scopes=scopes,
                 code_challenge=auth_request.code_challenge,
                 redirect_uri=redirect_uri,
+                redirect_uri_provided_explicitly=auth_request.redirect_uri is not None,
             )
 
             try:
diff --git a/src/mcp/server/auth/handlers/token.py b/src/mcp/server/auth/handlers/token.py
@@ -25,7 +25,7 @@ class AuthorizationCodeRequest(BaseModel):
     grant_type: Literal["authorization_code"]
     code: str = Field(..., description="The authorization code")
     redirect_uri: AnyHttpUrl | None = Field(
-        ..., description="Must be the same as redirect URI provided in /authorize"
+        None, description="Must be the same as redirect URI provided in /authorize"
     )
     client_id: str
     # we use the client_secret param, per https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
@@ -158,7 +158,8 @@ async def handle(self, request: Request):
 
                 # verify redirect_uri doesn't change between /authorize and /tokens
                 # see https://datatracker.ietf.org/doc/html/rfc6749#section-10.6
-                if token_request.redirect_uri != auth_code.redirect_uri:
+                authorize_request_redirect_uri = auth_code.redirect_uri if auth_code.redirect_uri_provided_explicitly else None
+                if token_request.redirect_uri != authorize_request_redirect_uri:
                     return self.response(
                         TokenErrorResponse(
                             error="invalid_request",
diff --git a/src/mcp/server/auth/provider.py b/src/mcp/server/auth/provider.py
@@ -11,10 +11,11 @@
 
 
 class AuthorizationParams(BaseModel):
-    state: str | None = None
-    scopes: list[str] | None = None
+    state: str | None
+    scopes: list[str] | None
     code_challenge: str
     redirect_uri: AnyHttpUrl
+    redirect_uri_provided_explicitly: bool
 
 
 class AuthorizationCode(BaseModel):
@@ -24,6 +25,7 @@ class AuthorizationCode(BaseModel):
     client_id: str
     code_challenge: str
     redirect_uri: AnyHttpUrl
+    redirect_uri_provided_explicitly: bool
 
 
 class RefreshToken(BaseModel):
diff --git a/tests/server/fastmcp/auth/test_auth_integration.py b/tests/server/fastmcp/auth/test_auth_integration.py
@@ -64,6 +64,7 @@ async def authorize(
             client_id=client.client_id,
             code_challenge=params.code_challenge,
             redirect_uri=params.redirect_uri,
+            redirect_uri_provided_explicitly=params.redirect_uri_provided_explicitly,
             expires_at=time.time() + 300,
             scopes=params.scopes or ["read", "write"],
         )

Original file line number	Diff line number	Diff line change
`@@ -197,6 +197,7 @@ async def error_response(`
`197`	`197`	`scopes=scopes,`
`198`	`198`	`code_challenge=auth_request.code_challenge,`
`199`	`199`	`redirect_uri=redirect_uri,`
	`200`	`+ redirect_uri_provided_explicitly=auth_request.redirect_uri is not None,`
`200`	`201`	`)`
`201`	`202`
`202`	`203`	`try:`
Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,7 @@ async def authorize(`
`64`	`64`	`client_id=client.client_id,`
`65`	`65`	`code_challenge=params.code_challenge,`
`66`	`66`	`redirect_uri=params.redirect_uri,`
	`67`	`+ redirect_uri_provided_explicitly=params.redirect_uri_provided_explicitly,`
`67`	`68`	`expires_at=time.time() + 300,`
`68`	`69`	`scopes=params.scopes or ["read", "write"],`
`69`	`70`	`)`