WWW-Authenticate header is not respected by Client SDK #1054
Description
Initial Checks
- I confirm that I'm using the latest version of MCP Python SDK
- I confirm that I searched for my issue in https://github.com/modelcontextprotocol/python-sdk/issues before opening this issue
Description
As per MCP specification:
MCP clients MUST be able to parse WWW-Authenticate headers and respond appropriately to HTTP 401 Unauthorized responses from the MCP server.
Link: https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization
At the same time, the Client SDK calculates the protected resource metadata URL and ignores the header:
async def _discover_protected_resource(self) -> httpx.Request:
"""Build discovery request for protected resource metadata."""
auth_base_url = self.context.get_authorization_base_url(self.context.server_url)
url = urljoin(auth_base_url, "/.well-known/oauth-protected-resource")
return httpx.Request("GET", url, headers={MCP_PROTOCOL_VERSION: LATEST_PROTOCOL_VERSION})
Link to the source code: https://github.com/modelcontextprotocol/python-sdk/blob/794218433656554deff37477c0bef8cb7deb40f6/src/mcp/client/auth.py#L206C5-L211C1
Example Code
Python & MCP Python SDK
Letest
Reactions are currently unavailable