Title: `OAuthClientInformationFull.redirect_uris`: pydantic strict-type-equality breaks `AnyUrl(x) != AnyHttpUrl(x)` round-trip · Issue #2687 · modelcontextprotocol/python-sdk · GitHub
Open Graph Title: `OAuthClientInformationFull.redirect_uris`: pydantic strict-type-equality breaks `AnyUrl(x) != AnyHttpUrl(x)` round-trip · Issue #2687 · modelcontextprotocol/python-sdk
X Title: `OAuthClientInformationFull.redirect_uris`: pydantic strict-type-equality breaks `AnyUrl(x) != AnyHttpUrl(x)` round-trip · Issue #2687 · modelcontextprotocol/python-sdk
Description: Summary When implementing a custom OAuth provider against the MCP Python SDK, callers must construct OAuthClientInformationFull instances. The SDK declares redirect_uris: list[AnyUrl] (where AnyUrl is pydantic's base URL type). Passing p...
Open Graph Description: Summary When implementing a custom OAuth provider against the MCP Python SDK, callers must construct OAuthClientInformationFull instances. The SDK declares redirect_uris: list[AnyUrl] (where AnyUrl...
X Description: Summary When implementing a custom OAuth provider against the MCP Python SDK, callers must construct OAuthClientInformationFull instances. The SDK declares redirect_uris: list[AnyUrl] (where AnyUrl...
Opengraph URL: https://github.com/modelcontextprotocol/python-sdk/issues/2687
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"`OAuthClientInformationFull.redirect_uris`: pydantic strict-type-equality breaks `AnyUrl(x) != AnyHttpUrl(x)` round-trip","articleBody":"Summary\nWhen implementing a custom OAuth provider against the MCP Python SDK, callers must construct `OAuthClientInformationFull` instances. The SDK declares `redirect_uris: list[AnyUrl]` (where `AnyUrl` is pydantic's base URL type). Passing pydantic's stricter subtype `AnyHttpUrl` (or any other AnyUrl subtype) causes silent equality failures downstream: `AnyUrl(\"https://...\") == AnyHttpUrl(\"https://...\")` returns `False` in pydantic v2, even when the two URLs serialize identically. This breaks `redirect_uri` matching during the `/authorize` → `/token` exchange.\nReproducer\n```python\nfrom pydantic import AnyUrl, AnyHttpUrl\nfrom mcp.server.auth.provider import OAuthClientInformationFull\n\n# pydantic v2 strict-type equality\nu1 = AnyUrl(\"https://example.com/callback\")\nu2 = AnyHttpUrl(\"https://example.com/callback\")\nassert str(u1) == str(u2) # True (both render the same)\nassert u1 == u2 # FAILS in pydantic v2 — different runtime types\n\n# Concrete impact in OAuth flow:\nclient_info = OAuthClientInformationFull(\n client_id=\"test\",\n redirect_uris=[AnyHttpUrl(\"https://example.com/cb\")],\n # ...other required fields\n)\n# When the /authorize request arrives with redirect_uri parameter, the SDK\n# constructs an AnyUrl from the query string and checks membership:\nincoming = AnyUrl(\"https://example.com/cb\")\nassert incoming in client_info.redirect_uris # FAILS — type mismatch\n```\nExpected behavior\n`OAuthClientInformationFull.redirect_uris` should accept and compare-equal across AnyUrl and AnyUrl subtypes (AnyHttpUrl, AnyHttpsUrl, etc.) when the underlying URL is identical.\nActual behavior\nStrict-type equality causes the membership check to fail. The OAuth flow returns a generic redirect-mismatch error to the client; the underlying cause (type vs URL mismatch) is invisible without instrumenting the SDK.\nSuggested fix\nTwo options:\nCoerce on assignment. Have `OAuthClientInformationFull.redirect_uris` field validator coerce all values to `AnyUrl` (the declared base type), regardless of what the caller passes. This is the cleanest fix and matches the field declaration.\nCompare-by-string. Override `__eq__` on the AnyUrl chain to compare-by-`str()` rather than by runtime type. Broader-impact change; probably not desirable.\nOption 1 is preferred. A short field_validator with `mode=\"before\"` converting to `AnyUrl` strings before pydantic instantiates would do it.\nWorkaround (current PolyBot mitigation)\nPass `redirect_uris` as raw `list[str]`; pydantic coerces to `AnyUrl` per the field declaration. This avoids the type mismatch:\n```python\nclient_info = OAuthClientInformationFull(\n client_id=\"test\",\n redirect_uris=[\"https://example.com/cb\"], # raw strings, not AnyHttpUrl\n # ...\n)\n```\nWorks at runtime; loses some IDE type hints in the caller code.\nEnvironment\nmcp Python SDK version: 1.27.1\npydantic version: 2.x\nPython: 3.11+\nRelated code locations\nIn the MCP SDK:\n`mcp/server/auth/provider.py` — `OAuthClientInformationFull` definition with `redirect_uris: list[AnyUrl]`\n`mcp/server/auth/handlers/authorize.py` — where the membership check happens\nSeverity\nMedium — silently breaks OAuth flows in custom-provider setups; reproducer is simple; workaround is trivial once known but the failure mode is hard to diagnose from the user-facing error.","author":{"url":"https://github.com/ptrhrsch-arch","@type":"Person","name":"ptrhrsch-arch"},"datePublished":"2026-05-26T10:37:28.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":4},"url":"https://github.com/2687/python-sdk/issues/2687"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:ac59eb20-b3de-75a9-9010-4a9534d467ec |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | ACBE:1B670D:978548:CA749C:6A5A8379 |
| html-safe-nonce | 22d934327fd0b252207dafb18c58d2b8573eee7207569b956df68a2e4495ca85 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJBQ0JFOjFCNjcwRDo5Nzg1NDg6Q0E3NDlDOjZBNUE4Mzc5IiwidmlzaXRvcl9pZCI6IjI2MzQyNTczMDczMjk1Mjg2OTciLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 89609bed88c6b5a61ecb3e6db29df5f5a490f092dd0a475e194c017ecd564c03 |
| hovercard-subject-tag | issue:4523536290 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/modelcontextprotocol/python-sdk/2687/issue_layout |
| twitter:image | https://opengraph.githubassets.com/df5d08e8e6ab6714d77b13c4c080e2110750d0d5637ee9784921d16b6301b054/modelcontextprotocol/python-sdk/issues/2687 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/df5d08e8e6ab6714d77b13c4c080e2110750d0d5637ee9784921d16b6301b054/modelcontextprotocol/python-sdk/issues/2687 |
| og:image:alt | Summary When implementing a custom OAuth provider against the MCP Python SDK, callers must construct OAuthClientInformationFull instances. The SDK declares redirect_uris: list[AnyUrl] (where AnyUrl... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | ptrhrsch-arch |
| hostname | github.com |
| expected-hostname | github.com |
| None | 922bdba685ea48400234d557977f0e32d9adbae6f5125725b4f48cacc6801106 |
| turbo-cache-control | no-preview |
| go-import | github.com/modelcontextprotocol/python-sdk git https://github.com/modelcontextprotocol/python-sdk.git |
| octolytics-dimension-user_id | 182288589 |
| octolytics-dimension-user_login | modelcontextprotocol |
| octolytics-dimension-repository_id | 862584018 |
| octolytics-dimension-repository_nwo | modelcontextprotocol/python-sdk |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 862584018 |
| octolytics-dimension-repository_network_root_nwo | modelcontextprotocol/python-sdk |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 7c8a44665d760d73ead7e85d8f88b299152aa681 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width