Skip to content

TSG: OAuth metadata discovery behind a reverse proxy#1972

Merged
anuchandy merged 1 commit intomicrosoft:mainfrom
anuchandy:tsg-oauth-metadata-reverse-proxy
Mar 10, 2026
Merged

TSG: OAuth metadata discovery behind a reverse proxy#1972
anuchandy merged 1 commit intomicrosoft:mainfrom
anuchandy:tsg-oauth-metadata-reverse-proxy

Conversation

@anuchandy
Copy link
Member

@anuchandy anuchandy commented Mar 9, 2026

What does this PR do?

Add troubleshooting section for AZURE_MCP_DANGEROUSLY_ENABLE_FORWARDED_HEADERS to fix OAuth Protected Resource Metadata returning wrong-scheme URLs when the server is behind a TLS-terminating reverse proxy.

[Any additional context, screenshots, or information that helps reviewers]

GitHub issue number?

[Link to the GitHub issue this PR addresses]

Pre-merge Checklist

  • Required for All PRs
    • Read contribution guidelines
    • PR title clearly describes the change
    • Commit history is clean with descriptive messages (cleanup guide)
    • Added comprehensive tests for new/modified functionality
    • Updated servers/Azure.Mcp.Server/CHANGELOG.md and/or servers/Fabric.Mcp.Server/CHANGELOG.md for product changes (features, bug fixes, UI/UX, updated dependencies)
  • For MCP tool changes:
    • One tool per PR: This PR adds or modifies only one MCP tool for faster review cycles
    • Updated servers/Azure.Mcp.Server/README.md and/or servers/Fabric.Mcp.Server/README.md documentation
    • Validate README.md changes using script at eng/scripts/Process-PackageReadMe.ps1. See Package README
    • Updated command list in /servers/Azure.Mcp.Server/docs/azmcp-commands.md and/or /docs/fabric-commands.md
    • Run .\eng\scripts\Update-AzCommandsMetadata.ps1 to update tool metadata in azmcp-commands.md (required for CI)
    • For new or modified tool descriptions, ran ToolDescriptionEvaluator and obtained a score of 0.4 or more and a top 3 ranking for all related test prompts
    • For tools with new names, including new tools or renamed tools, update consolidated-tools.json
    • For new tools associated with Azure services or publicly available tools/APIs/products, add URL to documentation in the PR description
  • Extra steps for Azure MCP Server tool changes:
    • Updated test prompts in /servers/Azure.Mcp.Server/docs/e2eTestPrompts.md
    • 👉 For Community (non-Microsoft team member) PRs:
      • Security review: Reviewed code for security vulnerabilities, malicious code, or suspicious activities before running tests (crypto mining, spam, data exfiltration, etc.)
      • Manual tests run: added comment /azp run mcp - pullrequest - live to run Live Test Pipeline

@anuchandy anuchandy self-assigned this Mar 9, 2026
Copilot AI review requested due to automatic review settings March 9, 2026 23:10
@anuchandy anuchandy requested review from a team as code owners March 9, 2026 23:10
@github-project-automation github-project-automation bot moved this to Untriaged in Azure MCP Server Mar 9, 2026
Copilot AI reviewed Mar 9, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a troubleshooting section to the Azure MCP Server's TROUBLESHOOTING.md documenting how to fix OAuth Protected Resource Metadata URL scheme issues when the server runs behind a TLS-terminating reverse proxy (e.g., Azure Container Apps). The fix involves setting the AZURE_MCP_DANGEROUSLY_ENABLE_FORWARDED_HEADERS=true environment variable.

Changes:

  • Added a new "OAuth metadata discovery behind a reverse proxy" section under "Remote MCP Server (preview)" explaining the problem and the environment variable fix.

@anuchandy anuchandy force-pushed the tsg-oauth-metadata-reverse-proxy branch from 668bd65 to 5166d55 Compare March 9, 2026 23:36
@github-project-automation github-project-automation bot moved this from Untriaged to In Progress in Azure MCP Server Mar 9, 2026
@anuchandy anuchandy enabled auto-merge (squash) March 9, 2026 23:37
@anuchandy anuchandy merged commit 91def97 into microsoft:main Mar 10, 2026
15 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in Azure MCP Server Mar 10, 2026
@anuchandy anuchandy deleted the tsg-oauth-metadata-reverse-proxy branch March 10, 2026 01:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@g2vinay g2vinay g2vinay approved these changes

@hallipr hallipr Awaiting requested review from hallipr hallipr is a code owner automatically assigned from microsoft/azure-mcp

@jongio jongio Awaiting requested review from jongio jongio is a code owner automatically assigned from microsoft/azure-mcp

@weshaggard weshaggard Awaiting requested review from weshaggard weshaggard is a code owner automatically assigned from microsoft/azure-mcp

@sandeep-sen sandeep-sen Awaiting requested review from sandeep-sen sandeep-sen is a code owner automatically assigned from microsoft/azure-mcp

@chidozieononiwu chidozieononiwu Awaiting requested review from chidozieononiwu chidozieononiwu is a code owner automatically assigned from microsoft/azure-mcp

@JasonYeMSFT JasonYeMSFT Awaiting requested review from JasonYeMSFT JasonYeMSFT is a code owner automatically assigned from microsoft/azure-mcp

@jairmyree jairmyree Awaiting requested review from jairmyree jairmyree is a code owner automatically assigned from microsoft/azure-mcp

Assignees

@anuchandy anuchandy

Labels

None yet

Projects

Azure MCP Server
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@anuchandy @g2vinay