/token endpoint should validate redirect_uri matches

[praboud-ant]

Describe the bug
The /token endpoint doesn't check that the redirect_uri provided in the request matches the redirect_uri originally provided in the /authorize request, which is required by https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3.

redirect_uri: REQUIRED, if the "redirect_uri" parameter was included in the authorization request as described in Section 4.1.1, and their values MUST be identical.

This seems like a problem with the way the AuthProvider interface is designed - the only method the provider can expose is challengeForAuthorizationCode, so there's no way for the provider to tell the SDK what redirect_uri was originally provided. Fixing this will require a change to the interface (and the cleanest way to fix it is a breaking change), so we should probably fix this before too many integrations grow around the existing AuthProvider interface.

To Reproduce
Steps to reproduce the behavior:

1. Make an /authorize request
2. Make an /token request with a different redirect_uri; this returns a successful response.

Expected behavior
The /token request should return an HTTP 400 with error=invalid_grant (https://datatracker.ietf.org/doc/html/rfc6749#section-5.2).

[windro-xdd]

I'd like to take this. I'll enforce redirect_uri matching between /authorize and /token per RFC 6749 section 4.1.3, with regression tests for mismatch and missing redirect_uri cases.

[mcp-claude]

the token handler does not validate that the redirect_uri in the token exchange matches the one from the original /authorize request, as required by RFC 6749 §4.1.3. an attacker in possession of a stolen authorization code can exchange it with an arbitrary redirect_uri and receive a valid access token.

present on v1.x only — main removed the built-in auth server layer.

root cause: src/server/auth/handlers/token.ts lines 95–115. challengeForAuthorizationCode() returns only the PKCE code challenge (string); the token handler has no way to retrieve the redirectUri stored during authorization. the value from the token request is forwarded to exchangeAuthorizationCode() without comparison.

workaround: implement exchangeAuthorizationCode() in your provider to compare the incoming redirectUri against the one stored with the authorization code and throw InvalidGrantError on mismatch. the SDK does not enforce this, but the provider can.

repro script, output, and code path

repro script (repro.ts, runnable from repo root on v1.x):

import express from 'express';
import { Server, createServer } from 'node:http';
import { randomUUID } from 'node:crypto';
import { mcpAuthRouter } from './src/server/auth/router.js';
import type { OAuthServerProvider } from './src/server/auth/provider.js';
import type { OAuthClientInformationFull, OAuthTokens } from './src/shared/auth.js';
import type { AuthInfo } from './src/server/auth/types.js';
import type { Response } from 'express';
import { createHash } from 'node:crypto';

const REDIRECT_URI_1 = 'http://localhost:9001/callback';  // used in /authorize
const REDIRECT_URI_2 = 'http://localhost:9002/callback';  // different, used in /token

const CLIENT: OAuthClientInformationFull = {
    client_id: 'test-client', client_secret: 'test-secret',
    redirect_uris: [REDIRECT_URI_1, REDIRECT_URI_2],
    grant_types: ['authorization_code'], response_types: ['code'],
    token_endpoint_auth_method: 'client_secret_post',
};

const codes = new Map<string, { challenge: string; redirectUri: string }>();
const tokens = new Map<string, { clientId: string }>();

const provider: OAuthServerProvider = {
    get clientsStore() {
        return { async getClient(id: string) { return id === CLIENT.client_id ? CLIENT : undefined; } };
    },
    async authorize(client, params, res: Response) {
        const code = randomUUID();
        codes.set(code, { challenge: params.codeChallenge, redirectUri: params.redirectUri });
        const url = new URL(params.redirectUri);
        url.searchParams.set('code', code);
        if (params.state) url.searchParams.set('state', params.state);
        res.redirect(url.toString());
    },
    async challengeForAuthorizationCode(client, code) {
        const d = codes.get(code); if (!d) throw new Error('unknown code'); return d.challenge;
    },
    async exchangeAuthorizationCode(client, code, _codeVerifier?, redirectUri?) {
        const d = codes.get(code); if (!d) throw new Error('unknown code');
        codes.delete(code);
        const token = randomUUID(); tokens.set(token, { clientId: client.client_id });
        return { access_token: token, token_type: 'bearer', expires_in: 3600 };
    },
    async exchangeRefreshToken() { throw new Error('not implemented'); },
    async verifyAccessToken(token): Promise<AuthInfo> {
        const t = tokens.get(token); if (!t) throw new Error('invalid token');
        return { token, clientId: t.clientId, scopes: [], expiresAt: Date.now() / 1000 + 3600 };
    },
};
// ... (full script in investigation)

command and output:

$ npx tsx repro.ts
status: 200 {"access_token":"848442f8-...","token_type":"bearer","expires_in":3600}

❌ BUG REPRODUCED: token exchange succeeded with mismatched redirect_uri
   /authorize used: http://localhost:9001/callback
   /token used:     http://localhost:9002/callback
   RFC 6749 §4.1.3 requires these to match; server did not validate.

code path:

• src/server/auth/handlers/token.ts:95 — parses redirect_uri from token request body
• src/server/auth/handlers/token.ts:102 — calls challengeForAuthorizationCode(client, code) → returns only the PKCE string, no redirect URI
• src/server/auth/handlers/token.ts:109–115 — calls exchangeAuthorizationCode(..., redirect_uri) with the token-request value unchecked
• src/server/auth/provider.ts — challengeForAuthorizationCode signature returns Promise<string>, no redirect URI exposed

suggested fix

// src/server/auth/provider.ts
     challengeForAuthorizationCode(client: OAuthClientInformationFull, authorizationCode: string): Promise<string>;
 
+    /**
+     * Returns the `redirect_uri` that was used when the indicated authorization began, if any.
+     * When implemented, the token handler will compare this against the `redirect_uri` in the
+     * token request and reject mismatches with an `invalid_grant` error, as required by
+     * RFC 6749 §4.1.3.
+     */
+    redirectUriForAuthorizationCode?(client: OAuthClientInformationFull, authorizationCode: string): Promise<string | undefined>;
+
     exchangeAuthorizationCode(

// src/server/auth/handlers/token.ts
                     const skipLocalPkceValidation = provider.skipLocalPkceValidation;
 
+                    // Validate redirect_uri against the one stored at authorization time (RFC 6749 §4.1.3)
+                    if (provider.redirectUriForAuthorizationCode) {
+                        const storedRedirectUri = await provider.redirectUriForAuthorizationCode(client, code);
+                        if (storedRedirectUri !== undefined && storedRedirectUri !== redirect_uri) {
+                            throw new InvalidGrantError('redirect_uri does not match the authorization request');
+                        }
+                    }
+
                     // Perform local PKCE validation unless explicitly skipped

// src/examples/server/demoInMemoryOAuthProvider.ts
         return codeData.params.codeChallenge;
     }
 
+    async redirectUriForAuthorizationCode(_client: OAuthClientInformationFull, authorizationCode: string): Promise<string | undefined> {
+        const codeData = this.codes.get(authorizationCode);
+        return codeData?.params.redirectUri;
+    }
+
     async exchangeAuthorizationCode(

the approach uses an optional method on OAuthServerProvider so existing provider implementations continue to work unchanged. DemoInMemoryAuthProvider implements it by returning the redirectUri already stored in its codes map. ProxyOAuthServerProvider does not implement it (it proxies validation to the upstream server and has skipLocalPkceValidation = true).

test to verify: token exchange with a redirect_uri different from the one used in /authorize returns 400 invalid_grant when the provider implements redirectUriForAuthorizationCode.