MCP server settings should allow specifying an external OAuth identity provider #53245
Replies: 3 comments
-
|
The Slack MCP server triggers this as well: "Slack": {
"url": "https://mcp.slack.com/mcp",
}, |
Beta Was this translation helpful? Give feedback.
-
|
The Atlassian MCP server has the same problem. |
Beta Was this translation helpful? Give feedback.
-
|
@draeron , a server-side option for your case, since this flag may be a long wait: the What works today with unmodified Zed: give the MCP server its own small authorization server (a bridge) instead of pointing the metadata at Entra. The bridge is the issuer, so Zed's issuer validation passes as-is, and it accepts dynamic client registration from any MCP client, while Entra stays the identity source behind it as one ordinary pre-registered app. It mints its own short-lived tokens for the MCP session; Entra tokens never reach the client, and your JWT validation concern disappears because the tokens Zed sees are the bridge's, not Entra's. Disclosure: I maintain an MIT Node library implementing this, mcp-sso, with an Entra identity port. Runs as a library or as a standalone gateway in front of a non-Node backend. Happy to help if you try it, issues get fixed fast. To be fair to the rest of the thread: @nertzy's and @cf-rdegregory's cases (Slack, Atlassian) are vendor-hosted servers, so a bridge can't help there, those genuinely need the client-side fix this discussion asks for, it could if you use an api key mcp connection behind something like mcp-sso. |
Beta Was this translation helpful? Give feedback.

Uh oh!
There was an error while loading. Please reload this page.
-
Body
Description
When an MCP server delegates OAuth to an external IdP (e.g. Microsoft Entra/Azure AD), Zed fails during discovery with:
The MCP server hosts
/.well-known/oauth-authorization-serverwith anissuerpointing to the real token issuer (Entra). This is a standard enterprise delegation pattern — theissuercannot simply be changed to the MCP server's own URL without breaking JWT token validation.Feature Request
It should be possible to configure the OAuth issuer URL directly in the MCP server settings, for example:
{ "context_servers": { "my-server": { "url": "https://my-mcp-server.com", "oauth_issuer": "https://login.microsoftonline.com/<tenant-id>/v2.0" } } }This would allow Zed to skip the issuer mismatch check and proceed with the OAuth flow using the correct external IdP, which is a common requirement in enterprise environments.
Environment
Beta Was this translation helpful? Give feedback.
All reactions