Correctly pass redirect_uri to tokens call

[praboud-ant]

Motivation and Context

The OAuth client currently passes redirect_uri to /authorize, but doesn't pass it to /token. Per https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3, if the client passes it to /authorize, it MUST pass the same value to /token. I ran into this when trying to test Inspector (which uses the typescript SDK client) with an OAuth server which is compliant with that part of the RFC - the server correctly rejected the requests as missing the redirect_uri value.

How Has This Been Tested?

Automated tests, and locally wiring this up to inspector & verifying that the auth flow works.

Breaking Changes

No

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

[jspahrsummers]

We are following the OAuth 2.1 draft spec (not OAuth 2.0) for MCP, which has this to say:

In OAuth 2.1, authorization code injection is prevented by the code_challenge and code_verifier parameters, making the inclusion of the redirect_uri parameter serve no purpose in the token request. As such, it has been removed.

I don't think we care about OAuth 2.0 compatibility here, although if folks feel strongly that this is important (e.g., because we want to be compatible with existing, OAuth 2.0-only auth libraries), we can consider it.

[csmoakpax8]

I need this as well. Just submitted an issue before seeing this. #225

[jspahrsummers]

Okay, on the basis of being compatible with Auth0 (as very widely used infrastructure), let's get this in.

Thanks for the data point @csmoakpax8!

[csmoakpax8]

@jspahrsummers Amazing thank you!

[jerome3o-anthropic]

should this be optional? I think it's possible for the authorization request to not have ?redirect_uri=xxx defined (i.e. if the client only has a single configured redirect the server should just send them there).

[jerome3o-anthropic]

and thus by oauth 2.0, it wouldn't be required

redirect_uri
REQUIRED, if the "redirect_uri" parameter was included in the
authorization request as described in Section 4.1.1, and their
values MUST be identical.

[jerome3o-anthropic]

tbh I think it's okay as is

I think it's fine as is