diff --git a/internal/server/api.go b/internal/server/api.go index 21c63fc8e5..5f8a50f640 100644 --- a/internal/server/api.go +++ b/internal/server/api.go @@ -233,12 +233,11 @@ func toolInvokeHandler(s *Server, w http.ResponseWriter, r *http.Request) { params, err := parameters.ParseParams(tool.GetParameters(), data, claimsFromAuth) if err != nil { - // If auth error, return 401 - errMsg := fmt.Sprintf("error parsing authenticated parameters from ID token: %w", err) + // If auth error, return 401 or 403 var clientServerErr *util.ClientServerError - if errors.As(err, &clientServerErr) && clientServerErr.Code == http.StatusUnauthorized { - s.logger.DebugContext(ctx, errMsg) - _ = render.Render(w, r, newErrResponse(err, http.StatusUnauthorized)) + if errors.As(err, &clientServerErr) && (clientServerErr.Code == http.StatusUnauthorized || clientServerErr.Code == http.StatusForbidden) { + s.logger.DebugContext(ctx, fmt.Sprintf("error parsing authenticated parameters from ID token: %s", err)) + _ = render.Render(w, r, newErrResponse(err, clientServerErr.Code)) return } err = fmt.Errorf("provided parameters were invalid: %w", err) diff --git a/internal/server/mcp.go b/internal/server/mcp.go index 8089ba5b1c..3adac31ab7 100644 --- a/internal/server/mcp.go +++ b/internal/server/mcp.go @@ -448,12 +448,7 @@ func httpHandler(s *Server, w http.ResponseWriter, r *http.Request) { case jsonrpc.INVALID_REQUEST: var clientServerErr *util.ClientServerError if errors.As(err, &clientServerErr) { - switch clientServerErr.Code { - case http.StatusUnauthorized: - w.WriteHeader(http.StatusUnauthorized) - case http.StatusForbidden: - w.WriteHeader(http.StatusForbidden) - } + w.WriteHeader(clientServerErr.Code) } } } diff --git a/internal/server/mcp/v20241105/method.go b/internal/server/mcp/v20241105/method.go index 8b3a65dfcb..894d032e1d 100644 --- a/internal/server/mcp/v20241105/method.go +++ b/internal/server/mcp/v20241105/method.go @@ -123,8 +123,9 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, resourceMgr *re } if clientAuth { if accessToken == "" { - return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, "missing access token in the 'Authorization' header", nil), util.NewClientServerError( - "missing access token in the 'Authorization' header", + errMsg := "missing access token in the 'Authorization' header" + return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, errMsg, nil), util.NewClientServerError( + errMsg, http.StatusUnauthorized, nil, ) diff --git a/internal/server/mcp/v20250326/method.go b/internal/server/mcp/v20250326/method.go index 51ebd14db4..fadd2bc972 100644 --- a/internal/server/mcp/v20250326/method.go +++ b/internal/server/mcp/v20250326/method.go @@ -123,8 +123,9 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, resourceMgr *re } if clientAuth { if accessToken == "" { - return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, "missing access token in the 'Authorization' header", nil), util.NewClientServerError( - "missing access token in the 'Authorization' header", + errMsg := "missing access token in the 'Authorization' header" + return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, errMsg, nil), util.NewClientServerError( + errMsg, http.StatusUnauthorized, nil, ) diff --git a/internal/server/mcp/v20251125/method.go b/internal/server/mcp/v20251125/method.go index 5fe5188862..72da108a77 100644 --- a/internal/server/mcp/v20251125/method.go +++ b/internal/server/mcp/v20251125/method.go @@ -116,8 +116,9 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, resourceMgr *re } if clientAuth { if accessToken == "" { - return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, "missing access token in the 'Authorization' header", nil), util.NewClientServerError( - "missing access token in the 'Authorization' header", + errMsg := "missing access token in the 'Authorization' header" + return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, errMsg, nil), util.NewClientServerError( + errMsg, http.StatusUnauthorized, nil, )