Skip to content

Fixed Entra Integration and added Entra-protected MCP client and server sample projects #940

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Fixed Entra Integration and added Entra-protected MCP client and server sample projects #940

wants to merge 2 commits into from
+1,581 −6

Conversation

@eduardomb-aw
Copy link
Contributor

@eduardomb-aw eduardomb-aw commented Nov 4, 2025

  • implemented OAuth token handling with scope support for Entra ID.
  • implemented On-Behalf-Of flow for secure downstream API calls (Microsoft Graph, and SharePoint).
  • Updated README.md for setup, usage, and troubleshooting.

I updated the ClientOAuthProvider to be compatible with MS Entra and added sample projects for that scenario.

PS: This will fix issue 939.

Motivation and Context

It is very important for the SDK to work with MS Entra for authentication and authorization.

How Has This Been Tested?

I tested with my MS Entra tenant. The sample project works and is able to successfully authenticate, exchange the token, and call downstream apis (MS Graph and SharePoint) accordingly.

Breaking Changes

Don't think so.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

@eduardomb-aw
- added Entra-protected MCP client and server sample projects
8a29bac 
- implemented OAuth token handling with `scope` support for Entra ID.
- implemented On-Behalf-Of flow for secure downstream API calls (Microsoft Graph, and SharePoint).
- Updated `README.md` for setup, usage, and troubleshooting.
@eduardomb-aw eduardomb-aw mentioned this pull request Nov 4, 2025
Open
@eduardomb-aw eduardomb-aw marked this pull request as draft November 4, 2025 21:57
eduardomb-aw
eduardomb-aw commented Nov 5, 2025
View reviewed changes
src/ModelContextProtocol.Core/Authentication/ClientOAuthProvider.cs
["resource"] = resourceUri.ToString(),
});
};

Copy link
Contributor Author

@eduardomb-aw eduardomb-aw Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@PederHP , the code below behaves as I intended, but it's not a good implementation. The issue here is that if I pass the resource to Entra as it's defined in the PRM (e.g.: http://localhost:7071/) it will never be validated by it and all token requests result in a BadRequest that in PS looks like this:

image

At the same time, if I update the configuration to the expected value (the server app registration client id), it's not validated by the provider:

image

I tried to find alternatives, but am also trying to keep changes to a minimum. Would appreciate if you could share your thoughts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ClientOAuthProvider does not work with MS Entra

1 participant

@eduardomb-aw