Fix /.well-known/oauth-authorization-server dropping path#1014
Merged
Conversation
pcarleton
previously approved these changes
Jun 24, 2025
| def _build_well_known_path(self, pathname: str) -> str: | ||
| """Construct well-known path for OAuth metadata discovery.""" | ||
| well_known_path = f"/.well-known/oauth-authorization-server{pathname}" | ||
| if pathname.endswith("/"): |
Member
There was a problem hiding this comment.
This tripped me up for a minute, b/c i thought it was referring to // at the end, but I see you have a test for it, and it follow this from the RFC:
If the issuer identifier value contains a path component, any
terminating "/" MUST be removed before inserting "/.well-known/" and
the well-known URI suffix between the host component and the path
component. The client would make the following request when the
issuer identifier is "https://example.com/issuer1" and the well-known
URI suffix is "oauth-authorization-server" to obtain the metadata,
since the issuer identifier contains a path component:
GET /.well-known/oauth-authorization-server/issuer1 HTTP/1.1 Host: example.com
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
As identified in modelcontextprotocol/typescript-sdk#687 we need fix it in Python SDK as well
Fixed OAuth discovery URL construction to comply with RFC 8414 by preserving path components. Previously, /.well-known/oauth-authorization-server discovery was dropping the path portion of authorization server URLs (e.g.,
https://example.com/path/mcp became https://example.com/.well-known/... instead of https://example.com/.well-known/.../path/mcp).
This fix enables operation with auth servers hosted at subpaths, matching the same issue recently fixed in the TypeScript SDK.
Fallback for backwards compatibility: