Skip to content

fix: accept both client_id and identifier_uri as Azure audience#3797

Merged
jlowin merged 2 commits intomainfrom
fix/azure-audience-mismatch
Apr 9, 2026
Merged

fix: accept both client_id and identifier_uri as Azure audience#3797
jlowin merged 2 commits intomainfrom
fix/azure-audience-mismatch

Conversation

@jlowin
Copy link
Copy Markdown
Member

@jlowin jlowin commented Apr 9, 2026

PR #3787 fixed audience validation for custom identifier_uri values (like api://my-app-name from Bicep deployments) by switching from audience=client_id to audience=identifier_uri. But this broke the default case: when identifier_uri is the default api://{guid}, Azure AD v2 tokens set aud to the bare GUID, not the api:// form — so every token got rejected.

The fix accepts both formats as valid audiences, which JWTVerifier already supports natively. This is safe because both values are identifiers for the same Azure app registration — client IDs are GUIDs and can't collide with URI-format identifier URIs.

# Before (3.2.0): only bare GUID — broke custom identifier_uri
audience=client_id

# Before (3.2.1): only identifier_uri — broke default api://{guid} case  
audience=self.identifier_uri

# Now: both — works for v1 tokens, v2 tokens, and custom URIs
audience=[client_id, self.identifier_uri]

Fixes #3796

@jlowin
fix: accept both client_id and identifier_uri as audience for Azure t…
986404b 
…oken validation

Azure AD v2 tokens set `aud` to the bare client ID, while v1 tokens use
the Application ID URI. Accept both so validation works regardless of
`accessTokenAcceptedVersion`.

Fixes #3796
@marvin-context-protocol marvin-context-protocol Bot added bug Something isn't working. Reports of errors, unexpected behavior, or broken functionality. auth Related to authentication (Bearer, JWT, OAuth, WorkOS) for client or server. server Related to FastMCP server implementation or server-side functionality. labels Apr 9, 2026
@jlowin jlowin merged commit 6592aaa into main Apr 9, 2026
8 checks passed
@jlowin jlowin deleted the fix/azure-audience-mismatch branch April 9, 2026 00:25
@albertogallensf albertogallensf mentioned this pull request Apr 11, 2026
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auth Related to authentication (Bearer, JWT, OAuth, WorkOS) for client or server. bug Something isn't working. Reports of errors, unexpected behavior, or broken functionality. server Related to FastMCP server implementation or server-side functionality.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AzureProvider: audience mismatch in 3.2.1 — Azure v2 tokens use client_id, not identifier_uri

1 participant

@jlowin