fix: strip trailing slashes from OAuth metadata URLs

claude[bot] · web-flow · commit 2c0f2c33d18f · 2026-01-22T19:03:14.000Z
Pydantic's AnyHttpUrl automatically appends a trailing slash to bare hostnames (e.g., http://localhost:8000 becomes http://localhost:8000/). This causes OAuth discovery to fail in clients like Google's ADK and IBM's MCP Context Forge because RFC 8414 §3.3 and RFC 9728 §3 require that the issuer/resource URL in the metadata response must be identical to the URL used for discovery. This fix ensures all URLs in OAuth metadata (issuer, resource, authorization_servers) have trailing slashes stripped, following the same pattern already used for authorization_endpoint and token_endpoint. Github-Issue: #1919 Reported-by: joar
diff --git a/src/mcp/server/auth/routes.py b/src/mcp/server/auth/routes.py
@@ -157,7 +157,7 @@ def build_metadata(
 
     # Create metadata
     metadata = OAuthMetadata(
-        issuer=issuer_url,
+        issuer=AnyHttpUrl(str(issuer_url).rstrip("/")),
         authorization_endpoint=authorization_url,
         token_endpoint=token_url,
         scopes_supported=client_registration_options.valid_scopes,
@@ -222,8 +222,8 @@ def create_protected_resource_routes(
         List of Starlette routes for protected resource metadata
     """
     metadata = ProtectedResourceMetadata(
-        resource=resource_url,
-        authorization_servers=authorization_servers,
+        resource=AnyHttpUrl(str(resource_url).rstrip("/")),
+        authorization_servers=[AnyHttpUrl(str(server).rstrip("/")) for server in authorization_servers],
         scopes_supported=scopes_supported,
         resource_name=resource_name,
         resource_documentation=resource_documentation,
