pFad - Phone/Frame/Anonymizer/Declutterfier! Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

URL: http://github.com/modelcontextprotocol/python-sdk/pull/2684

ssets/actions-9111c292f95f2fb0.css" /> fix(auth): add Accept: application/json header to OAuth token requests by gauravSsinha · Pull Request #2684 · modelcontextprotocol/python-sdk · GitHub
Skip to content

fix(auth): add Accept: application/json header to OAuth token requests#2684

Open
gauravSsinha wants to merge 1 commit into
modelcontextprotocol:mainfrom
substrai:fix/oauth-token-accept-json-header
Open

fix(auth): add Accept: application/json header to OAuth token requests#2684
gauravSsinha wants to merge 1 commit into
modelcontextprotocol:mainfrom
substrai:fix/oauth-token-accept-json-header

Conversation

@gauravSsinha
Copy link
Copy Markdown

@gauravSsinha gauravSsinha commented May 26, 2026

Summary

Adds Accept: application/json header to all OAuth token endpoint requests. Some providers (notably GitHub) return form-encoded responses by default unless JSON is explicitly requested, causing token exchange failures.

Problem

As reported in #1523, the SDK's OAuth token requests only set Content-Type but not Accept. Providers like GitHub's OAuth endpoint return application/x-www-form-urlencoded by default, which fails to parse as JSON.

From GitHub's OAuth docs:

By default, the response takes the following form: access_token=...&token_type=bearer
You can also receive the response in different formats by providing the Accept header.

Fix

Added "Accept": "application/json" to headers in all token request builders:

  • OAuthClientProvider._build_token_request() — authorization code exchange
  • OAuthClientProvider._refresh_token() — token refresh
  • ClientCredentialsOAuthProvider._build_token_request() — client credentials
  • PrivateKeyJWTOAuthProvider._build_token_request() — private key JWT
  • SignedJWTOAuthProvider._build_token_request() — signed JWT assertion

Testing

  • All 96 auth tests pass
  • All 15 client_credentials tests pass
  • No breaking changes (adding Accept header is additive)

References

  • RFC 6749 Section 5.1 specifies JSON for token responses
  • GitHub OAuth docs require explicit Accept header for JSON

Fixes #1523

@gauravSsinha
fix(auth): add Accept: application/json header to OAuth token requests
064808d 
Some OAuth providers (e.g., GitHub) return form-encoded responses by
default unless the client explicitly requests JSON via the Accept
header. This causes token exchange to fail with a parse error since
the SDK expects JSON responses.

Add 'Accept: application/json' to all token endpoint requests:
- Authorization code token exchange (oauth2.py)
- Token refresh (oauth2.py)
- Client credentials grant (client_credentials.py)
- Private key JWT grant (client_credentials.py)
- Signed JWT assertion grant (client_credentials.py)

This aligns with RFC 6749 Section 5.1 which specifies that token
responses use JSON, and ensures interoperability with providers that
require explicit content negotiation.

Fixes modelcontextprotocol#1523

Signed-off-by: Gaurav Kumar Sinha <gaurav@substrai.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuthClientProvider._handle_token_response expect json

1 participant

@gauravSsinha
pFad - Phonifier reborn

Pfad - The Proxy pFad © 2024 Your Company Name. All rights reserved.




Check this box to remove all script contents from the fetched content.



Check this box to remove all images from the fetched content.


Check this box to remove all CSS styles from the fetched content.


Check this box to keep images inefficiently compressed and original size.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy