Skip to content

fix(oauth): subpath-aware metadata discovery with RFC 9728 fallback#1327

Open
Educg550 wants to merge 3 commits into
modelcontextprotocol:mainfrom
Educg550:main
Open

fix(oauth): subpath-aware metadata discovery with RFC 9728 fallback#1327
Educg550 wants to merge 3 commits into
modelcontextprotocol:mainfrom
Educg550:main

Conversation

@Educg550
Copy link
Copy Markdown

@Educg550 Educg550 commented May 19, 2026

Summary

This PR addresses #1168, that is, the metadata discovery step on OAuth Flow now considers subpaths for mounted MCP servers.

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • Test updates (new tests created)

Changes Made

client/src/lib/oauth-state-machine.tsmetadata_discovery transition

  • Previously, authServerUrl was constructed as new URL("/", context.serverUrl), which stripped the path and broke RFC 8414 path-scoped discovery for sub-path mounted servers (e.g. http://host/api/mcp/github/mcp). It is now constructed as new URL(context.serverUrl) so the full path is preserved.
  • Added a mount-relative fallback for RFC 9728 protected resource metadata: when the standard discovery call fails for a sub-path server, the transition retries with an explicit resourceMetadataUrl of {serverUrl}/.well-known/oauth-protected-resource (trailing slash stripped). Root-mounted servers (pathname === "/") skip this fallback.
  • resourceMetadata?.authorization_servers is now evaluated after both discovery attempts, so the auth server URL is correctly resolved from resource metadata when the fallback succeeds.

client/src/lib/__tests__/oauth-state-machine.test.ts — new test file

Covers the metadata_discovery transition with five unit tests:

  • Sub-path server preserves the path when calling discoverAuthorizationServerMetadata (RFC 8414 §3).
  • Root-mounted server uses bare origin.
  • Mount-relative fallback is attempted for sub-path servers when RFC 9728 standard discovery fails, and the auth server is resolved from the returned resource metadata.
  • Mount-relative fallback is not attempted for root-mounted servers.
  • Trailing slash is stripped before constructing the mount-relative URL.

For reference:

  1. https://datatracker.ietf.org/doc/html/rfc8414
  2. https://datatracker.ietf.org/doc/html/rfc9728

Related Issues

Fixes #1168

Testing

  • Tested in UI mode
  • Tested in CLI mode
  • Tested with STDIO transport
  • Tested with SSE transport
  • Tested with Streamable HTTP transport
  • Added/updated automated tests
  • Manual testing performed
inspector_tests_passing

Checklist

  • Code follows the style guidelines (ran npm run prettier-fix)
  • Self-review completed
  • Code is commented where necessary
  • Documentation updated (README, comments, etc.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuth metadata discovery fails for sub-path-mounted MCP servers when protected resource metadata is unavailable

1 participant

@Educg550