Azure OIDC discovery metadata missing code_challenge_methods_supported breaks S256 PKCE validation #832
Description
Describe the bug
Azure Active Directory supports S256 PKCE but doesn't advertise code_challenge_methods_supported in its OIDC discovery metadata. The MCP SDK's strict validation at line 779-783 rejects Azure as incompatible, even though Azure fully supports the required S256 code challenge method.
To Reproduce
Steps to reproduce the behavior:
- Set up an MCP server that returns Azure AD as the authorization server in protected resource metadata:
{"resource":"http://localhost:3000/","authorization_servers":["https://login.microsoftonline.com/{tenant-id}"]}- Configure an MCP client (like mcp-remote) to connect with Azure OAuth credentials.
- Attempt OAuth authentication flow
- SDK discovers Azure OIDC metadata at https://login.microsoftonline.com/{tenant-id}/.well-known/openid-configuration
- SDK validation fails because code_challenge_methods_supported field is missing from Azure's metadata
Expected behavior
Azure should be accepted as a compatible OIDC provider since it supports S256 PKCE (as documented in Microsoft's OAuth 2.0 auth code flow), and the OAuth flow should proceed normally.
Logs
Error: Incompatible OIDC provider at https://login.microsoftonline.com/{tenant-id}/.well-known/openid-configuration: does not support S256 code challenge method required by MCP specification
at discoverAuthorizationServerMetadata (/path/to/sdk/src/client/auth.ts:780:15)
Additional context
- This affects enterprise adoption where Azure AD is commonly used as the identity provider
- Suggested fix: Change the validation to if (metadata.code_challenge_methods_supported && !metadata.code_challenge_methods_supported.includes('S256'))