Skip to content

WWW-Authenticate header is not respected by Client SDK #1054

@yurikunash

Description

@yurikunash

Initial Checks

Description

As per MCP specification:

MCP clients MUST be able to parse WWW-Authenticate headers and respond appropriately to HTTP 401 Unauthorized responses from the MCP server.

Link: https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization

At the same time, the Client SDK calculates the protected resource metadata URL and ignores the header:

    async def _discover_protected_resource(self) -> httpx.Request:
        """Build discovery request for protected resource metadata."""
        auth_base_url = self.context.get_authorization_base_url(self.context.server_url)
        url = urljoin(auth_base_url, "/.well-known/oauth-protected-resource")
        return httpx.Request("GET", url, headers={MCP_PROTOCOL_VERSION: LATEST_PROTOCOL_VERSION})

Link to the source code: https://github.com/modelcontextprotocol/python-sdk/blob/794218433656554deff37477c0bef8cb7deb40f6/src/mcp/client/auth.py#L206C5-L211C1

Example Code

Python & MCP Python SDK

Letest

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions