From 8c1f757f06b208e62158988288a42dcf261fedab Mon Sep 17 00:00:00 2001 From: Soham Dahivalkar Date: Mon, 1 Jun 2026 23:16:46 +0530 Subject: [PATCH] fix(auth): add Accept: application/json header to OAuth token requests Token exchange and refresh requests only set Content-Type but omit the Accept header. Some OAuth providers (e.g. GitHub) return form-encoded data by default and require Accept: application/json to return JSON. Since _handle_token_response parses the body as JSON, omitting the Accept header causes parse failures with these providers. Add Accept: application/json to both _exchange_token_authorization_code and _build_refresh_token_request. Fixes #1523 --- src/mcp/client/auth/oauth2.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/mcp/client/auth/oauth2.py b/src/mcp/client/auth/oauth2.py index 3c546fda2..ed72002db 100644 --- a/src/mcp/client/auth/oauth2.py +++ b/src/mcp/client/auth/oauth2.py @@ -402,7 +402,10 @@ async def _exchange_token_authorization_code( token_data["resource"] = self.context.get_resource_url() # RFC 8707 # Prepare authentication based on preferred method - headers = {"Content-Type": "application/x-www-form-urlencoded"} + headers = { + "Content-Type": "application/x-www-form-urlencoded", + "Accept": "application/json", + } token_data, headers = self.context.prepare_token_auth(token_data, headers) return httpx.Request("POST", token_url, data=token_data, headers=headers) @@ -447,7 +450,10 @@ async def _refresh_token(self) -> httpx.Request: refresh_data["resource"] = self.context.get_resource_url() # RFC 8707 # Prepare authentication based on preferred method - headers = {"Content-Type": "application/x-www-form-urlencoded"} + headers = { + "Content-Type": "application/x-www-form-urlencoded", + "Accept": "application/json", + } refresh_data, headers = self.context.prepare_token_auth(refresh_data, headers) return httpx.Request("POST", token_url, data=refresh_data, headers=headers)