Share via

How to fix malformed OAuth URL parameters in Copilot MCP integration?

Tanguy Joannot 10 Reputation points
2026-01-19T14:21:47.38+00:00

Hi Microsoft Community,

I'm trying to integrate Microsoft Copilot with our MCP (Model Context Protocol) server using OAuth authentication, but encountering an issue with the authorization URL that Copilot generates.

Problem: When Copilot initiates the OAuth flow, it generates a malformed URL with an incorrect parameter separator:

https://pigment.app/login?server=mcp?client_id=XXX&response_type=code&...
                                   ↑
                                ISSUE: Should be & not ?

The URL uses ? instead of & to separate the server and client_id parameters. According to URL standards, only the first parameter separator should be ?, and all subsequent separators should be &.

Expected URL format:

https://pigment.app/login?server=mcp&client_id=XXX&response_type=code&...
                                   ↑
                                CORRECT: & separator

Impact: This malformed URL causes our OAuth server to reject the authorization request, preventing Copilot from successfully connecting to our MCP server.

Comparison: Other MCP clients (Claude, ChatGPT, Mistral, Zapier, Dust...) all generate correctly formatted URLs with proper & separators and work successfully with our server.

Question: Is this a known issue with Copilot's MCP OAuth implementation? Is there a workaround or fix available? Should this be reported as a bug?

Thanks

Microsoft Copilot | Microsoft 365 Copilot | Development

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tanguy Joannot 10 Reputation points
    2026-01-22T07:53:34.1566667+00:00

    Hi Sayali,

    We agree that the issue is the presence of two ? characters in the URL. This probably comes from the fact that our authorization URL already contains a query parameter: https://pigment.app/login?server=mcp.

    My point is that Copilot should detect this and append additional parameters with & only, not with another ?.

    According to RFC 6749 Section 3.1 (the OAuth 2.0 standard):

    "The endpoint URI MAY include an 'application/x-www-form-urlencoded' formatted query component, which MUST be retained when adding additional query parameters."

    This explicitly allows authorization URLs to have existing query parameters, and OAuth clients must properly append additional parameters to them.

    All other MCP clients we've tested (Claude Desktop, ChatGPT, Zapier, Dust) handle this automatically by detecting the existing ? and using & for subsequent parameters. Only Copilot uses a second ?, creating a malformed URL.

    This is quite inconvenient as it prevents Copilot from working with any MCP server whose authorization URL includes query parameters - a pattern that is standards-compliant and explicitly supported by OAuth 2.0.

    Couldn't Copilot's implementation be updated to follow the RFC 6749 requirement to properly retain and extend existing query parameters?

    Best,

    Tanguy

    Was this answer helpful?

    1 person found this answer helpful.
  2. Darius Rohde 0 Reputation points
    2026-02-11T15:01:13.51+00:00

    I have the same isssue, connecting a MCP Server running on SAP. SAP requires the SAP Client ID to be passed as ?sap-client=100

    Was this answer helpful?

    0 comments
  3. Sayali-MSFT 5,771 Reputation points Microsoft External Staff Moderator
    2026-01-21T09:11:14.1166667+00:00

    Hello Tanguy Joannot,
    The issue is not caused by Copilot using ? instead of & to separate OAuth parameters. In URLs, & is the correct query separator; & is only an HTML encoding and is not used in raw URLs.

    The real problem is that the server parameter contains an unescaped ?, for example:

    server=mcp?client_id=XXX

    In URLs, only the first ? starts the query string. Any additional ? inside parameter values must be URL-encoded. Without encoding, the URL becomes malformed and OAuth servers correctly reject it.

    Why Other MCP Clients Work:

    Other MCP clients (Claude, ChatGPT, Zapier, etc.) either:

    URL-encode parameter values correctly.
    Avoid embedding query parameters inside the server value altogether.

    Correct Solutions Recommended:

    Keep server as a simple identifier or base URL (no query parameters).

    server=mcp

    If parameters are required inside server:

    URL-encode them:

    server=mcp%3Fclient_id%3DXXX

    Is This a Copilot Bug?

    No. Copilot’s behavior is standards-compliant (RFC 3986 / OAuth 2.0). The issue originates from passing an unencoded query string as a parameter value.

    Was this answer helpful?

    0 comments

  4. AI answer

    2026-01-19T14:21:57.4333333+00:00

    The issue you're experiencing with malformed OAuth URL parameters in the Microsoft Copilot's MCP integration is not explicitly documented in the available resources. However, it is noted that the Model Context Protocol (MCP) tool definition input schema can have issues, such as incorrect configurations that may lead to problems during integration.

    While the specific problem with the ? and & separator in the OAuth URL is not mentioned, it would be advisable to check the following:

    1. Ensure that the OAuth configuration settings are correctly set up in your MCP server.
    2. Validate that the client ID and other parameters are correctly formatted and do not contain any unexpected characters.
    3. Review the permissions and scopes associated with your registered application to ensure they align with the requirements of the MCP server.

    If these steps do not resolve the issue, it may be beneficial to report this as a potential bug to Microsoft support, as it could be a known issue that requires attention from the product team.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.