Skip to content

[BUG] Remote: OAuth protected resource metadata has wrong protocol in ACA #1214

New issue
New issue
Open
Open
[BUG] Remote: OAuth protected resource metadata has wrong protocol in ACA#1214
Assignees
vukelich
Labels
remote-mcp
@vukelich

Description

@vukelich
vukelich
opened on Nov 19, 2025

Describe the bug

The HTTP 401 challenge for unauthenticated requests uses the incoming request protocol for crafting the resource_metadata value in the WWWAuthenticate as in

mcp/core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs

Line 412 in 493f8de

string resourceMetadataUrl = $"{request.Scheme}://{request.Host}/.well-known/oauth-protected-resource";

The protocol for the URL is fine when the MCP server is being directly connected by the client, such as local development or App Service. ACA container apps would see the http protocol because that's the default behavior for the ACA environment's reverse proxy.

Expected behavior

resource_metadata value in the WWWAuthenticate should match the original client request, including both protocol and host name.

Actual behavior

On ACA apps, resource_metadata value in the WWWAuthenticate matches the correct host name but the protocol is http. This results in clients like VS Code calling a URL that fails.

Reproduction Steps

asdf

Environment

No response

Metadata

Metadata

Assignees

Labels

remote-mcp

Type

No type

Projects

Azure MCP Server

Status

Not Started

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions