fix(auth): add Accept header to token and refresh requests

xueyuan · xueyuan · commit d6981b30001e · 2026-05-27T12:04:41.000+08:00
OAuthClientProvider._build_token_request and _refresh_token did not
include an Accept header, so servers that default to form-encoded
responses (e.g. GitHub's OAuth token endpoint) would not return JSON.
This caused token exchange to fail with a parse error.

Added Accept: application/json to both token exchange and refresh
requests so servers know to respond with JSON.
diff --git a/src/mcp/client/auth/oauth2.py b/src/mcp/client/auth/oauth2.py
@@ -402,7 +402,10 @@ async def _exchange_token_authorization_code(
             token_data["resource"] = self.context.get_resource_url()  # RFC 8707
 
         # Prepare authentication based on preferred method
-        headers = {"Content-Type": "application/x-www-form-urlencoded"}
+        headers = {
+            "Content-Type": "application/x-www-form-urlencoded",
+            "Accept": "application/json",
+        }
         token_data, headers = self.context.prepare_token_auth(token_data, headers)
 
         return httpx.Request("POST", token_url, data=token_data, headers=headers)
@@ -447,7 +450,10 @@ async def _refresh_token(self) -> httpx.Request:
             refresh_data["resource"] = self.context.get_resource_url()  # RFC 8707
 
         # Prepare authentication based on preferred method
-        headers = {"Content-Type": "application/x-www-form-urlencoded"}
+        headers = {
+            "Content-Type": "application/x-www-form-urlencoded",
+            "Accept": "application/json",
+        }
         refresh_data, headers = self.context.prepare_token_auth(refresh_data, headers)
 
         return httpx.Request("POST", token_url, data=refresh_data, headers=headers)
diff --git a/tests/client/test_auth.py b/tests/client/test_auth.py
@@ -597,6 +597,7 @@ async def test_token_exchange_request_authorization_code(self, oauth_provider: O
         assert request.method == "POST"
         assert str(request.url) == "https://api.example.com/token"
         assert request.headers["Content-Type"] == "application/x-www-form-urlencoded"
+        assert request.headers["Accept"] == "application/json"
 
         # Check form data
         content = request.content.decode()
@@ -623,6 +624,7 @@ async def test_refresh_token_request(self, oauth_provider: OAuthClientProvider,
         assert request.method == "POST"
         assert str(request.url) == "https://api.example.com/token"
         assert request.headers["Content-Type"] == "application/x-www-form-urlencoded"
+        assert request.headers["Accept"] == "application/json"
 
         # Check form data
         content = request.content.decode()
