feat: add validate_resource_url callback to OAuthClientProvider

pcarleton · pcarleton · commit ff5746234380 · 2026-02-05T16:53:24.000Z
Allows clients to override or disable PRM resource validation.
Called with (server_url, prm_resource) and can raise to reject,
return to accept, or implement custom logic. When not provided,
default behavior validates per RFC 8707 and rejects mismatches.
diff --git a/src/mcp/client/auth/oauth2.py b/src/mcp/client/auth/oauth2.py
@@ -229,6 +229,7 @@ def __init__(
         callback_handler: Callable[[], Awaitable[tuple[str, str | None]]] | None = None,
         timeout: float = 300.0,
         client_metadata_url: str | None = None,
+        validate_resource_url: Callable[[str, str | None], Awaitable[str | None]] | None = None,
     ):
         """Initialize OAuth2 authentication.
 
@@ -243,6 +244,11 @@ def __init__(
                 advertises client_id_metadata_document_supported=true, this URL will be
                 used as the client_id instead of performing dynamic client registration.
                 Must be a valid HTTPS URL with a non-root pathname.
+            validate_resource_url: Optional callback to override resource URL validation.
+                Called with (server_url, prm_resource) where prm_resource is the resource
+                from Protected Resource Metadata (or None if not present). Must return the
+                resource URL to use, or None to omit it. If not provided, default validation
+                rejects mismatched resources per RFC 8707.
 
         Raises:
             ValueError: If client_metadata_url is provided but not a valid HTTPS URL
@@ -263,6 +269,7 @@ def __init__(
             timeout=timeout,
             client_metadata_url=client_metadata_url,
         )
+        self._validate_resource_url_callback = validate_resource_url
         self._initialized = False
 
     async def _handle_protected_resource_response(self, response: httpx.Response) -> bool:
@@ -476,12 +483,17 @@ async def _handle_oauth_metadata_response(self, response: httpx.Response) -> Non
         metadata = OAuthMetadata.model_validate_json(content)
         self.context.oauth_metadata = metadata
 
-    def _validate_resource_match(self, prm: ProtectedResourceMetadata) -> None:
+    async def _validate_resource_match(self, prm: ProtectedResourceMetadata) -> None:
         """Validate that PRM resource matches the server URL per RFC 8707."""
-        if not prm.resource:
+        prm_resource = str(prm.resource) if prm.resource else None
+
+        if self._validate_resource_url_callback is not None:
+            await self._validate_resource_url_callback(self.context.server_url, prm_resource)
+            return
+
+        if not prm_resource:
             return
         default_resource = resource_url_from_server_url(self.context.server_url)
-        prm_resource = str(prm.resource)
         # Normalize: Pydantic AnyHttpUrl adds trailing slash to root URLs
         # (e.g. "https://example.com/") while resource_url_from_server_url may not.
         if not default_resource.endswith("/"):
@@ -533,7 +545,7 @@ async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.
                         prm = await handle_protected_resource_response(discovery_response)
                         if prm:
                             # Validate PRM resource matches server URL (RFC 8707)
-                            self._validate_resource_match(prm)
+                            await self._validate_resource_match(prm)
                             self.context.protected_resource_metadata = prm
 
                             # todo: try all authorization_servers to find the OASM
