Skip to content

fix: match complete www-authenticate auth params#3050

Open
pradeep-ramola wants to merge 1 commit into
modelcontextprotocol:mainfrom
pradeep-ramola:pradeep-ramola/www-auth-param-boundary
Open

fix: match complete www-authenticate auth params#3050
pradeep-ramola wants to merge 1 commit into
modelcontextprotocol:mainfrom
pradeep-ramola:pradeep-ramola/www-auth-param-boundary

Conversation

@pradeep-ramola

Copy link
Copy Markdown

Fixes #3009

Updates extract_field_from_www_auth so it only matches complete WWW-Authenticate auth-param names. This prevents fields like scope from matching inside longer names such as error_scope or custom_scope, and prevents resource_metadata from matching inside x_resource_metadata.

Motivation and Context

The previous regex searched for the field name without a boundary, so a decoy parameter could shadow the real auth-param value or return a value when the requested parameter was not present.

This matters for OAuth discovery because resource_metadata from WWW-Authenticate controls the protected resource metadata URL selection.

How Has This Been Tested?

Tested locally with:

python -m pytest tests/client/test_auth.py -k WWWAuthenticate
python -m ruff check src/mcp/client/auth/utils.py tests/client/test_auth.py
python -m ruff format --check src/mcp/client/auth/utils.py tests/client/test_auth.py

Scenarios covered:

  • error_scope before real scope
  • custom_scope without real scope
  • x_resource_metadata before real resource_metadata
  • x_resource_metadata without real resource_metadata

Breaking Changes

None.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

The fix escapes the requested field name and requires it to appear at the start of the header or after an auth-param separator, so only complete auth-param names are matched.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Re-trigger cubic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

WWW-Authenticate parsing matches a field name as a substring of another auth-param

1 participant