Skip to content

fix(auth): add Accept: application/json header to OAuth token requests#2684

Open
gauravSsinha wants to merge 1 commit into
modelcontextprotocol:mainfrom
substrai:fix/oauth-token-accept-json-header
Open

fix(auth): add Accept: application/json header to OAuth token requests#2684
gauravSsinha wants to merge 1 commit into
modelcontextprotocol:mainfrom
substrai:fix/oauth-token-accept-json-header

Conversation

@gauravSsinha
Copy link
Copy Markdown

@gauravSsinha gauravSsinha commented May 26, 2026

Summary

Adds Accept: application/json header to all OAuth token endpoint requests. Some providers (notably GitHub) return form-encoded responses by default unless JSON is explicitly requested, causing token exchange failures.

Problem

As reported in #1523, the SDK's OAuth token requests only set Content-Type but not Accept. Providers like GitHub's OAuth endpoint return application/x-www-form-urlencoded by default, which fails to parse as JSON.

From GitHub's OAuth docs:

By default, the response takes the following form: access_token=...&token_type=bearer
You can also receive the response in different formats by providing the Accept header.

Fix

Added "Accept": "application/json" to headers in all token request builders:

  • OAuthClientProvider._build_token_request() — authorization code exchange
  • OAuthClientProvider._refresh_token() — token refresh
  • ClientCredentialsOAuthProvider._build_token_request() — client credentials
  • PrivateKeyJWTOAuthProvider._build_token_request() — private key JWT
  • SignedJWTOAuthProvider._build_token_request() — signed JWT assertion

Testing

  • All 96 auth tests pass
  • All 15 client_credentials tests pass
  • No breaking changes (adding Accept header is additive)

References

  • RFC 6749 Section 5.1 specifies JSON for token responses
  • GitHub OAuth docs require explicit Accept header for JSON

Fixes #1523

@gauravSsinha
fix(auth): add Accept: application/json header to OAuth token requests
064808d 
Some OAuth providers (e.g., GitHub) return form-encoded responses by
default unless the client explicitly requests JSON via the Accept
header. This causes token exchange to fail with a parse error since
the SDK expects JSON responses.

Add 'Accept: application/json' to all token endpoint requests:
- Authorization code token exchange (oauth2.py)
- Token refresh (oauth2.py)
- Client credentials grant (client_credentials.py)
- Private key JWT grant (client_credentials.py)
- Signed JWT assertion grant (client_credentials.py)

This aligns with RFC 6749 Section 5.1 which specifies that token
responses use JSON, and ensures interoperability with providers that
require explicit content negotiation.

Fixes modelcontextprotocol#1523

Signed-off-by: Gaurav Kumar Sinha <gaurav@substrai.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuthClientProvider._handle_token_response expect json

1 participant

@gauravSsinha