fastmcp 2.12.5__py3-none-any.whl → 2.13.0rc2__py3-none-any.whl

fastmcp/server/auth/oidc_proxy.py

@@ -12,6 +12,7 @@ This implementation is based on:
 from collections.abc import Sequence
 
 import httpx
+from key_value.aio.protocols import AsyncKeyValue
 from pydantic import AnyHttpUrl, BaseModel, model_validator
 from typing_extensions import Self
 
@@ -19,7 +20,6 @@ from fastmcp.server.auth import TokenVerifier
 from fastmcp.server.auth.oauth_proxy import OAuthProxy
 from fastmcp.server.auth.providers.jwt import JWTVerifier
 from fastmcp.utilities.logging import get_logger
-from fastmcp.utilities.storage import KVStorage
 
 logger = get_logger(__name__)
 
@@ -210,10 +210,11 @@ class OIDCProxy(OAuthProxy):
         required_scopes: list[str] | None = None,
         # FastMCP server configuration
         base_url: AnyHttpUrl | str,
+        issuer_url: AnyHttpUrl | str | None = None,
         redirect_path: str | None = None,
         # Client configuration
         allowed_client_redirect_uris: list[str] | None = None,
-        client_storage: KVStorage | None = None,
+        client_storage: AsyncKeyValue | None = None,
         # Token validation configuration
         token_endpoint_auth_method: str | None = None,
     ) -> None:
@@ -228,16 +229,16 @@ class OIDCProxy(OAuthProxy):
             timeout_seconds: HTTP request timeout in seconds
             algorithm: Token verifier algorithm
             required_scopes: Required OAuth scopes
-            base_url: Public URL of the server that exposes this FastMCP server; redirect path is
-                relative to this URL
+            base_url: Public URL where OAuth endpoints will be accessible (includes any mount path)
+            issuer_url: Issuer URL for OAuth metadata (defaults to base_url). Use root-level URL
+                to avoid 404s during discovery when mounting under a path.
             redirect_path: Redirect path configured in upstream OAuth app (defaults to "/auth/callback")
             allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients.
                 Patterns support wildcards (e.g., "http://localhost:*", "https://*.example.com/*").
                 If None (default), only localhost redirect URIs are allowed.
                 If empty list, all redirect URIs are allowed (not recommended for production).
                 These are for MCP clients performing loopback redirects, NOT for the upstream OAuth app.
-            client_storage: Storage implementation for OAuth client registrations.
-                Defaults to file-based storage if not specified.
+            client_storage: An AsyncKeyValue-compatible store for client registrations, registrations are stored in memory if not provided
             token_endpoint_auth_method: Token endpoint authentication method for upstream server.
                 Common values: "client_secret_basic", "client_secret_post", "none".
                 If None, authlib will use its default (typically "client_secret_basic").
@@ -290,6 +291,7 @@ class OIDCProxy(OAuthProxy):
             "upstream_revocation_endpoint": revocation_endpoint,
             "token_verifier": token_verifier,
             "base_url": base_url,
+            "issuer_url": issuer_url or base_url,
             "service_documentation_url": self.oidc_config.service_documentation,
             "allowed_client_redirect_uris": allowed_client_redirect_uris,
             "client_storage": client_storage,

fastmcp/server/auth/providers/auth0.py

@@ -21,13 +21,14 @@ Example:
     ```
 """
 
+from key_value.aio.protocols import AsyncKeyValue
 from pydantic import AnyHttpUrl, SecretStr, field_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
 from fastmcp.server.auth.oidc_proxy import OIDCProxy
+from fastmcp.settings import ENV_FILE
 from fastmcp.utilities.auth import parse_scopes
 from fastmcp.utilities.logging import get_logger
-from fastmcp.utilities.storage import KVStorage
 from fastmcp.utilities.types import NotSet, NotSetT
 
 logger = get_logger(__name__)
@@ -38,7 +39,7 @@ class Auth0ProviderSettings(BaseSettings):
 
     model_config = SettingsConfigDict(
         env_prefix="FASTMCP_SERVER_AUTH_AUTH0_",
-        env_file=".env",
+        env_file=ENV_FILE,
         extra="ignore",
     )
 
@@ -47,6 +48,7 @@ class Auth0ProviderSettings(BaseSettings):
     client_secret: SecretStr | None = None
     audience: str | None = None
     base_url: AnyHttpUrl | None = None
+    issuer_url: AnyHttpUrl | None = None
     redirect_path: str | None = None
     required_scopes: list[str] | None = None
     allowed_client_redirect_uris: list[str] | None = None
@@ -89,10 +91,11 @@ class Auth0Provider(OIDCProxy):
         client_secret: str | NotSetT = NotSet,
         audience: str | NotSetT = NotSet,
         base_url: AnyHttpUrl | str | NotSetT = NotSet,
+        issuer_url: AnyHttpUrl | str | NotSetT = NotSet,
         required_scopes: list[str] | NotSetT = NotSet,
         redirect_path: str | NotSetT = NotSet,
         allowed_client_redirect_uris: list[str] | NotSetT = NotSet,
-        client_storage: KVStorage | None = None,
+        client_storage: AsyncKeyValue | None = None,
     ) -> None:
         """Initialize Auth0 OAuth provider.
 
@@ -101,13 +104,14 @@ class Auth0Provider(OIDCProxy):
             client_id: Auth0 application client id
             client_secret: Auth0 application client secret
             audience: Auth0 API audience
-            base_url: Public URL of your FastMCP server (for OAuth callbacks)
+            base_url: Public URL where OAuth endpoints will be accessible (includes any mount path)
+            issuer_url: Issuer URL for OAuth metadata (defaults to base_url). Use root-level URL
+                to avoid 404s during discovery when mounting under a path.
             required_scopes: Required Auth0 scopes (defaults to ["openid"])
             redirect_path: Redirect path configured in Auth0 application
             allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients.
                 If None (default), all URIs are allowed. If empty list, no URIs are allowed.
-            client_storage: Storage implementation for OAuth client registrations.
-                Defaults to file-based storage if not specified.
+            client_storage: An AsyncKeyValue-compatible store for client registrations, registrations are stored in memory if not provided
         """
         settings = Auth0ProviderSettings.model_validate(
             {
@@ -118,6 +122,7 @@ class Auth0Provider(OIDCProxy):
                     "client_secret": client_secret,
                     "audience": audience,
                     "base_url": base_url,
+                    "issuer_url": issuer_url,
                     "required_scopes": required_scopes,
                     "redirect_path": redirect_path,
                     "allowed_client_redirect_uris": allowed_client_redirect_uris,
@@ -159,6 +164,7 @@ class Auth0Provider(OIDCProxy):
             "client_secret": settings.client_secret.get_secret_value(),
             "audience": settings.audience,
             "base_url": settings.base_url,
+            "issuer_url": settings.issuer_url,
             "redirect_path": settings.redirect_path,
             "required_scopes": auth0_required_scopes,
             "allowed_client_redirect_uris": settings.allowed_client_redirect_uris,
@@ -167,7 +173,7 @@ class Auth0Provider(OIDCProxy):
 
         super().__init__(**init_kwargs)
 
-        logger.info(
+        logger.debug(
             "Initialized Auth0 OAuth provider for client %s with scopes: %s",
             settings.client_id,
             auth0_required_scopes,

fastmcp/server/auth/providers/aws.py

@@ -23,6 +23,7 @@ Example:
 
 from __future__ import annotations
 
+from key_value.aio.protocols import AsyncKeyValue
 from pydantic import AnyHttpUrl, SecretStr, field_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
@@ -30,6 +31,7 @@ from fastmcp.server.auth import TokenVerifier
 from fastmcp.server.auth.auth import AccessToken
 from fastmcp.server.auth.oidc_proxy import OIDCProxy
 from fastmcp.server.auth.providers.jwt import JWTVerifier
+from fastmcp.settings import ENV_FILE
 from fastmcp.utilities.auth import parse_scopes
 from fastmcp.utilities.logging import get_logger
 from fastmcp.utilities.types import NotSet, NotSetT
@@ -42,7 +44,7 @@ class AWSCognitoProviderSettings(BaseSettings):
 
     model_config = SettingsConfigDict(
         env_prefix="FASTMCP_SERVER_AUTH_AWS_COGNITO_",
-        env_file=".env",
+        env_file=ENV_FILE,
         extra="ignore",
     )
 
@@ -51,6 +53,7 @@ class AWSCognitoProviderSettings(BaseSettings):
     client_id: str | None = None
     client_secret: SecretStr | None = None
     base_url: AnyHttpUrl | str | None = None
+    issuer_url: AnyHttpUrl | str | None = None
     redirect_path: str | None = None
     required_scopes: list[str] | None = None
     allowed_client_redirect_uris: list[str] | None = None
@@ -127,9 +130,11 @@ class AWSCognitoProvider(OIDCProxy):
         client_id: str | NotSetT = NotSet,
         client_secret: str | NotSetT = NotSet,
         base_url: AnyHttpUrl | str | NotSetT = NotSet,
+        issuer_url: AnyHttpUrl | str | NotSetT = NotSet,
         redirect_path: str | NotSetT = NotSet,
         required_scopes: list[str] | NotSetT = NotSet,
         allowed_client_redirect_uris: list[str] | NotSetT = NotSet,
+        client_storage: AsyncKeyValue | None = None,
     ):
         """Initialize AWS Cognito OAuth provider.
 
@@ -138,11 +143,14 @@ class AWSCognitoProvider(OIDCProxy):
             aws_region: AWS region where your User Pool is located (defaults to "eu-central-1")
             client_id: Cognito app client ID
             client_secret: Cognito app client secret
-            base_url: Public URL of your FastMCP server (for OAuth callbacks)
+            base_url: Public URL where OAuth endpoints will be accessible (includes any mount path)
+            issuer_url: Issuer URL for OAuth metadata (defaults to base_url). Use root-level URL
+                to avoid 404s during discovery when mounting under a path.
             redirect_path: Redirect path configured in Cognito app (defaults to "/auth/callback")
             required_scopes: Required Cognito scopes (defaults to ["openid"])
             allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients.
                 If None (default), all URIs are allowed. If empty list, no URIs are allowed.
+            client_storage: An AsyncKeyValue-compatible store for client registrations, registrations are stored in memory if not provided
         """
 
         settings = AWSCognitoProviderSettings.model_validate(
@@ -154,6 +162,7 @@ class AWSCognitoProvider(OIDCProxy):
                     "client_id": client_id,
                     "client_secret": client_secret,
                     "base_url": base_url,
+                    "issuer_url": issuer_url,
                     "redirect_path": redirect_path,
                     "required_scopes": required_scopes,
                     "allowed_client_redirect_uris": allowed_client_redirect_uris,
@@ -202,11 +211,13 @@ class AWSCognitoProvider(OIDCProxy):
             algorithm="RS256",
             required_scopes=required_scopes_final,
             base_url=settings.base_url,
+            issuer_url=settings.issuer_url,
             redirect_path=redirect_path_final,
             allowed_client_redirect_uris=allowed_client_redirect_uris_final,
+            client_storage=client_storage,
         )
 
-        logger.info(
+        logger.debug(
             "Initialized AWS Cognito OAuth provider for client %s with scopes: %s",
             settings.client_id,
             required_scopes_final,

fastmcp/server/auth/providers/azure.py

@@ -6,17 +6,23 @@ using the OAuth Proxy pattern for non-DCR OAuth flows.
 
 from __future__ import annotations
 
-import httpx
+from typing import TYPE_CHECKING
+
+from key_value.aio.protocols import AsyncKeyValue
 from pydantic import SecretStr, field_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
-from fastmcp.server.auth import AccessToken, TokenVerifier
 from fastmcp.server.auth.oauth_proxy import OAuthProxy
+from fastmcp.server.auth.providers.jwt import JWTVerifier
+from fastmcp.settings import ENV_FILE
 from fastmcp.utilities.auth import parse_scopes
 from fastmcp.utilities.logging import get_logger
-from fastmcp.utilities.storage import KVStorage
 from fastmcp.utilities.types import NotSet, NotSetT
 
+if TYPE_CHECKING:
+    from mcp.server.auth.provider import AuthorizationParams
+    from mcp.shared.auth import OAuthClientInformationFull
+
 logger = get_logger(__name__)
 
 
@@ -25,94 +31,30 @@ class AzureProviderSettings(BaseSettings):
 
     model_config = SettingsConfigDict(
         env_prefix="FASTMCP_SERVER_AUTH_AZURE_",
-        env_file=".env",
+        env_file=ENV_FILE,
         extra="ignore",
     )
 
     client_id: str | None = None
     client_secret: SecretStr | None = None
     tenant_id: str | None = None
+    identifier_uri: str | None = None
     base_url: str | None = None
+    issuer_url: str | None = None
     redirect_path: str | None = None
     required_scopes: list[str] | None = None
-    timeout_seconds: int | None = None
+    additional_authorize_scopes: list[str] | None = None
     allowed_client_redirect_uris: list[str] | None = None
 
     @field_validator("required_scopes", mode="before")
     @classmethod
-    def _parse_scopes(cls, v):
+    def _parse_scopes(cls, v: object) -> list[str] | None:
         return parse_scopes(v)
 
-
-class AzureTokenVerifier(TokenVerifier):
-    """Token verifier for Azure OAuth tokens.
-
-    Azure tokens are JWTs, but we verify them by calling the Microsoft Graph API
-    to get user information and validate the token.
-    """
-
-    def __init__(
-        self,
-        *,
-        required_scopes: list[str] | None = None,
-        timeout_seconds: int = 10,
-    ):
-        """Initialize the Azure token verifier.
-
-        Args:
-            required_scopes: Required OAuth scopes
-            timeout_seconds: HTTP request timeout
-        """
-        super().__init__(required_scopes=required_scopes)
-        self.timeout_seconds = timeout_seconds
-
-    async def verify_token(self, token: str) -> AccessToken | None:
-        """Verify Azure OAuth token by calling Microsoft Graph API."""
-        try:
-            async with httpx.AsyncClient(timeout=self.timeout_seconds) as client:
-                # Use Microsoft Graph API to validate token and get user info
-                response = await client.get(
-                    "https://graph.microsoft.com/v1.0/me",
-                    headers={
-                        "Authorization": f"Bearer {token}",
-                        "User-Agent": "FastMCP-Azure-OAuth",
-                    },
-                )
-
-                if response.status_code != 200:
-                    logger.debug(
-                        "Azure token verification failed: %d - %s",
-                        response.status_code,
-                        response.text[:200],
-                    )
-                    return None
-
-                user_data = response.json()
-
-                # Create AccessToken with Azure user info
-                return AccessToken(
-                    token=token,
-                    client_id=str(user_data.get("id", "unknown")),
-                    scopes=self.required_scopes or [],
-                    expires_at=None,
-                    claims={
-                        "sub": user_data.get("id"),
-                        "email": user_data.get("mail")
-                        or user_data.get("userPrincipalName"),
-                        "name": user_data.get("displayName"),
-                        "given_name": user_data.get("givenName"),
-                        "family_name": user_data.get("surname"),
-                        "job_title": user_data.get("jobTitle"),
-                        "office_location": user_data.get("officeLocation"),
-                    },
-                )
-
-        except httpx.RequestError as e:
-            logger.debug("Failed to verify Azure token: %s", e)
-            return None
-        except Exception as e:
-            logger.debug("Azure token verification error: %s", e)
-            return None
+    @field_validator("additional_authorize_scopes", mode="before")
+    @classmethod
+    def _parse_additional_authorize_scopes(cls, v: object) -> list[str] | None:
+        return parse_scopes(v)
 
 
 class AzureProvider(OAuthProxy):
@@ -123,16 +65,17 @@ class AzureProvider(OAuthProxy):
     Microsoft accounts depending on the tenant configuration.
 
     Features:
-    - Transparent OAuth proxy to Azure/Microsoft identity platform
-    - Automatic token validation via Microsoft Graph API
-    - User information extraction
-    - Support for different tenant configurations (common, organizations, consumers)
-
-    Setup Requirements:
-    1. Register an application in Azure Portal (portal.azure.com)
-    2. Configure redirect URI as: http://localhost:8000/auth/callback
-    3. Note your Application (client) ID and create a client secret
-    4. Optionally note your Directory (tenant) ID for single-tenant apps
+    - OAuth proxy to Azure/Microsoft identity platform
+    - JWT validation using tenant issuer and JWKS
+    - Supports tenant configurations: specific tenant ID, "organizations", or "consumers"
+
+    Setup:
+    1. Create an App registration in Azure Portal
+    2. Configure Web platform redirect URI: http://localhost:8000/auth/callback (or your custom path)
+    3. Add an Application ID URI. Either use the default (api://{client_id}) or set a custom one.
+    4. Add a custom scope.
+    5. Create a client secret.
+    6. Get Application (client) ID, Directory (tenant) ID, and client secret
 
     Example:
         ```python
@@ -142,8 +85,10 @@ class AzureProvider(OAuthProxy):
         auth = AzureProvider(
             client_id="your-client-id",
             client_secret="your-client-secret",
-            tenant_id="your-tenant-id",  # Required: your Azure tenant ID from Azure Portal
-            base_url="http://localhost:8000"
+            tenant_id="your-tenant-id",
+            required_scopes=["your-scope"],
+            base_url="http://localhost:8000",
+            # identifier_uri defaults to api://{client_id}
         )
 
         mcp = FastMCP("My App", auth=auth)
@@ -156,27 +101,36 @@ class AzureProvider(OAuthProxy):
         client_id: str | NotSetT = NotSet,
         client_secret: str | NotSetT = NotSet,
         tenant_id: str | NotSetT = NotSet,
+        identifier_uri: str | None | NotSetT = NotSet,
         base_url: str | NotSetT = NotSet,
+        issuer_url: str | NotSetT = NotSet,
         redirect_path: str | NotSetT = NotSet,
         required_scopes: list[str] | None | NotSetT = NotSet,
-        timeout_seconds: int | NotSetT = NotSet,
+        additional_authorize_scopes: list[str] | None | NotSetT = NotSet,
         allowed_client_redirect_uris: list[str] | NotSetT = NotSet,
-        client_storage: KVStorage | None = None,
-    ):
+        client_storage: AsyncKeyValue | None = None,
+    ) -> None:
         """Initialize Azure OAuth provider.
 
         Args:
             client_id: Azure application (client) ID
             client_secret: Azure client secret
             tenant_id: Azure tenant ID (your specific tenant ID, "organizations", or "consumers")
-            base_url: Public URL of your FastMCP server (for OAuth callbacks)
+            identifier_uri: Optional Application ID URI for your API. (defaults to api://{client_id})
+                Used only to prefix scopes in authorization requests. Tokens are always validated
+                against your app's client ID.
+            base_url: Public URL where OAuth endpoints will be accessible (includes any mount path)
+            issuer_url: Issuer URL for OAuth metadata (defaults to base_url). Use root-level URL
+                to avoid 404s during discovery when mounting under a path.
             redirect_path: Redirect path configured in Azure (defaults to "/auth/callback")
-            required_scopes: Required scopes (defaults to ["User.Read", "email", "openid", "profile"])
-            timeout_seconds: HTTP request timeout for Azure API calls
+            required_scopes: Required scopes. These are validated on tokens and used as defaults
+                when the client does not request specific scopes.
+            additional_authorize_scopes: Additional scopes to include in the authorization request
+                without prefixing. Use this to request upstream scopes such as Microsoft Graph
+                permissions. These are not used for token validation.
             allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients.
                 If None (default), all URIs are allowed. If empty list, no URIs are allowed.
-            client_storage: Storage implementation for OAuth client registrations.
-                Defaults to file-based storage if not specified.
+            client_storage: An AsyncKeyValue-compatible store for client registrations, registrations are stored in memory if not provided
         """
         settings = AzureProviderSettings.model_validate(
             {
@@ -185,10 +139,12 @@ class AzureProvider(OAuthProxy):
                     "client_id": client_id,
                     "client_secret": client_secret,
                     "tenant_id": tenant_id,
+                    "identifier_uri": identifier_uri,
                     "base_url": base_url,
+                    "issuer_url": issuer_url,
                     "redirect_path": redirect_path,
                     "required_scopes": required_scopes,
-                    "timeout_seconds": timeout_seconds,
+                    "additional_authorize_scopes": additional_authorize_scopes,
                     "allowed_client_redirect_uris": allowed_client_redirect_uris,
                 }.items()
                 if v is not NotSet
@@ -197,45 +153,48 @@ class AzureProvider(OAuthProxy):
 
         # Validate required settings
         if not settings.client_id:
-            raise ValueError(
-                "client_id is required - set via parameter or FASTMCP_SERVER_AUTH_AZURE_CLIENT_ID"
-            )
+            msg = "client_id is required - set via parameter or FASTMCP_SERVER_AUTH_AZURE_CLIENT_ID"
+            raise ValueError(msg)
         if not settings.client_secret:
-            raise ValueError(
-                "client_secret is required - set via parameter or FASTMCP_SERVER_AUTH_AZURE_CLIENT_SECRET"
-            )
+            msg = "client_secret is required - set via parameter or FASTMCP_SERVER_AUTH_AZURE_CLIENT_SECRET"
+            raise ValueError(msg)
 
         # Validate tenant_id is provided
         if not settings.tenant_id:
-            raise ValueError(
-                "tenant_id is required - set via parameter or FASTMCP_SERVER_AUTH_AZURE_TENANT_ID. "
-                "Use your Azure tenant ID (found in Azure Portal), 'organizations', or 'consumers'"
+            msg = (
+                "tenant_id is required - set via parameter or "
+                "FASTMCP_SERVER_AUTH_AZURE_TENANT_ID. Use your Azure tenant ID "
+                "(found in Azure Portal), 'organizations', or 'consumers'"
             )
+            raise ValueError(msg)
+
+        if not settings.required_scopes:
+            raise ValueError("required_scopes is required")
 
         # Apply defaults
+        self.identifier_uri = settings.identifier_uri or f"api://{settings.client_id}"
+        self.additional_authorize_scopes = settings.additional_authorize_scopes or []
         tenant_id_final = settings.tenant_id
 
-        timeout_seconds_final = settings.timeout_seconds or 10
-        # Default scopes for Azure - User.Read gives us access to user info via Graph API
-        scopes_final = settings.required_scopes or [
-            "User.Read",
-            "email",
-            "openid",
-            "profile",
-        ]
-        allowed_client_redirect_uris_final = settings.allowed_client_redirect_uris
+        # Always validate tokens against the app's API client ID using JWT
+        issuer = f"https://login.microsoftonline.com/{tenant_id_final}/v2.0"
+        jwks_uri = (
+            f"https://login.microsoftonline.com/{tenant_id_final}/discovery/v2.0/keys"
+        )
+
+        token_verifier = JWTVerifier(
+            jwks_uri=jwks_uri,
+            issuer=issuer,
+            audience=settings.client_id,
+            algorithm="RS256",
+            required_scopes=settings.required_scopes,
+        )
 
         # Extract secret string from SecretStr
         client_secret_str = (
             settings.client_secret.get_secret_value() if settings.client_secret else ""
         )
 
-        # Create Azure token verifier
-        token_verifier = AzureTokenVerifier(
-            required_scopes=scopes_final,
-            timeout_seconds=timeout_seconds_final,
-        )
-
         # Build Azure OAuth endpoints with tenant
         authorization_endpoint = (
             f"https://login.microsoftonline.com/{tenant_id_final}/oauth2/v2.0/authorize"
@@ -253,13 +212,67 @@ class AzureProvider(OAuthProxy):
             token_verifier=token_verifier,
             base_url=settings.base_url,
             redirect_path=settings.redirect_path,
-            issuer_url=settings.base_url,
-            allowed_client_redirect_uris=allowed_client_redirect_uris_final,
+            issuer_url=settings.issuer_url
+            or settings.base_url,  # Default to base_url if not specified
+            allowed_client_redirect_uris=settings.allowed_client_redirect_uris,
             client_storage=client_storage,
         )
 
         logger.info(
-            "Initialized Azure OAuth provider for client %s with tenant %s",
+            "Initialized Azure OAuth provider for client %s with tenant %s%s",
             settings.client_id,
             tenant_id_final,
+            f" and identifier_uri {self.identifier_uri}" if self.identifier_uri else "",
         )
+
+    async def authorize(
+        self,
+        client: OAuthClientInformationFull,
+        params: AuthorizationParams,
+    ) -> str:
+        """Start OAuth transaction and redirect to Azure AD.
+
+        Override parent's authorize method to filter out the 'resource' parameter
+        which is not supported by Azure AD v2.0 endpoints. The v2.0 endpoints use
+        scopes to determine the resource/audience instead of a separate parameter.
+
+        Args:
+            client: OAuth client information
+            params: Authorization parameters from the client
+
+        Returns:
+            Authorization URL to redirect the user to Azure AD
+        """
+        # Clear the resource parameter that Azure AD v2.0 doesn't support
+        # This parameter comes from RFC 8707 (OAuth 2.0 Resource Indicators)
+        # but Azure AD v2.0 uses scopes instead to determine the audience
+        params_to_use = params
+        if hasattr(params, "resource"):
+            original_resource = getattr(params, "resource", None)
+            if original_resource is not None:
+                params_to_use = params.model_copy(update={"resource": None})
+                if original_resource:
+                    logger.debug(
+                        "Filtering out 'resource' parameter '%s' for Azure AD v2.0 (use scopes instead)",
+                        original_resource,
+                    )
+        original_scopes = params_to_use.scopes or self.required_scopes
+        prefixed_scopes = (
+            self._add_prefix_to_scopes(original_scopes)
+            if self.identifier_uri
+            else original_scopes
+        )
+
+        final_scopes = list(prefixed_scopes)
+        if self.additional_authorize_scopes:
+            final_scopes.extend(self.additional_authorize_scopes)
+
+        modified_params = params_to_use.model_copy(update={"scopes": final_scopes})
+
+        auth_url = await super().authorize(client, modified_params)
+        separator = "&" if "?" in auth_url else "?"
+        return f"{auth_url}{separator}prompt=select_account"
+
+    def _add_prefix_to_scopes(self, scopes: list[str]) -> list[str]:
+        """Add Application ID URI prefix for authorization request."""
+        return [f"{self.identifier_uri}/{scope}" for scope in scopes]

fastmcp/server/auth/providers/descope.py

@@ -7,8 +7,6 @@ for seamless MCP client authentication.
 
 from __future__ import annotations
 
-from typing import Any
-
 import httpx
 from pydantic import AnyHttpUrl
 from pydantic_settings import BaseSettings, SettingsConfigDict
@@ -17,6 +15,7 @@ from starlette.routing import Route
 
 from fastmcp.server.auth import RemoteAuthProvider, TokenVerifier
 from fastmcp.server.auth.providers.jwt import JWTVerifier
+from fastmcp.settings import ENV_FILE
 from fastmcp.utilities.logging import get_logger
 from fastmcp.utilities.types import NotSet, NotSetT
 
@@ -26,7 +25,7 @@ logger = get_logger(__name__)
 class DescopeProviderSettings(BaseSettings):
     model_config = SettingsConfigDict(
         env_prefix="FASTMCP_SERVER_AUTH_DESCOPEPROVIDER_",
-        env_file=".env",
+        env_file=ENV_FILE,
         extra="ignore",
     )
 
@@ -127,7 +126,6 @@ class DescopeProvider(RemoteAuthProvider):
     def get_routes(
         self,
         mcp_path: str | None = None,
-        mcp_endpoint: Any | None = None,
     ) -> list[Route]:
         """Get OAuth routes including Descope authorization server metadata forwarding.
 
@@ -136,10 +134,10 @@ class DescopeProvider(RemoteAuthProvider):
 
         Args:
             mcp_path: The path where the MCP endpoint is mounted (e.g., "/mcp")
-            mcp_endpoint: The MCP endpoint handler to protect with auth
+                This is used to advertise the resource URL in metadata.
         """
         # Get the standard protected resource routes from RemoteAuthProvider
-        routes = super().get_routes(mcp_path, mcp_endpoint)
+        routes = super().get_routes(mcp_path)
 
         async def oauth_authorization_server_metadata(request):
             """Forward Descope OAuth authorization server metadata with FastMCP customizations."""