diff --git a/labs/mcp-client-authorization/src/apim-oauth/consent.policy.xml b/labs/mcp-client-authorization/src/apim-oauth/consent.policy.xml
index e37d916c..e8507415 100644
--- a/labs/mcp-client-authorization/src/apim-oauth/consent.policy.xml
+++ b/labs/mcp-client-authorization/src/apim-oauth/consent.policy.xml
@@ -242,7 +242,7 @@ __COMMON_STYLES__
2018-12-31
-
+
@($"[\"{context.Variables.GetValueOrDefault("client_id")}\"]")
diff --git a/labs/mcp-client-authorization/src/apim-oauth/oauth-callback.policy.xml b/labs/mcp-client-authorization/src/apim-oauth/oauth-callback.policy.xml
index 1eb81fe9..9a7b4c7f 100644
--- a/labs/mcp-client-authorization/src/apim-oauth/oauth-callback.policy.xml
+++ b/labs/mcp-client-authorization/src/apim-oauth/oauth-callback.policy.xml
@@ -123,8 +123,8 @@
-
-
+
+
POST
@@ -132,7 +132,9 @@
application/x-www-form-urlencoded
@{
- return $"client_id={context.Variables.GetValueOrDefault("clientId")}&grant_type=authorization_code&code={context.Variables.GetValueOrDefault("authCode")}&redirect_uri={context.Variables.GetValueOrDefault("redirectUri")}&scope=User.Read&code_verifier={context.Variables.GetValueOrDefault("codeVerifier")}&client_assertion_type={context.Variables.GetValueOrDefault("clientAssertionType")}&client_assertion={context.Variables.GetValueOrDefault("ficToken")}";
+ // Align scope with configured OAuth scopes used during authorize request
+ string scopes = "{{OAuthScopes}}";
+ return $"client_id={context.Variables.GetValueOrDefault("clientId")}&grant_type=authorization_code&code={context.Variables.GetValueOrDefault("authCode")}&redirect_uri={context.Variables.GetValueOrDefault("redirectUri")}&scope={System.Net.WebUtility.UrlEncode(scopes)}&code_verifier={context.Variables.GetValueOrDefault("codeVerifier")}&client_secret={System.Net.WebUtility.UrlEncode((string)context.Variables.GetValueOrDefault("clientSecret"))}";
}
@@ -237,4 +239,4 @@
-
\ No newline at end of file
+
diff --git a/labs/mcp-client-authorization/src/apim-oauth/token.policy.xml b/labs/mcp-client-authorization/src/apim-oauth/token.policy.xml
index a3956236..1686b636 100644
--- a/labs/mcp-client-authorization/src/apim-oauth/token.policy.xml
+++ b/labs/mcp-client-authorization/src/apim-oauth/token.policy.xml
@@ -190,7 +190,7 @@
2018-12-31
-
+
@($"[\"{context.Variables.GetValueOrDefault("client_id")}\"]")
@@ -312,4 +312,4 @@
-
\ No newline at end of file
+
diff --git a/labs/mcp-client-authorization/src/weather/apim-mcp-server/policy.xml b/labs/mcp-client-authorization/src/weather/apim-mcp-server/policy.xml
index 516a63d5..8976288c 100644
--- a/labs/mcp-client-authorization/src/weather/apim-mcp-server/policy.xml
+++ b/labs/mcp-client-authorization/src/weather/apim-mcp-server/policy.xml
@@ -47,9 +47,10 @@
byte[] decryptedBytes = inBytes.Decrypt("Aes", key, IV);
return Encoding.UTF8.GetString(decryptedBytes);
}" />
-
+
+
-
+
@@ -57,7 +58,7 @@
{
"error": "unauthorized",
- "error_description": "token is not valid"
+ "error_description": "session not found or expired"
}
@@ -72,4 +73,4 @@
-
\ No newline at end of file
+