Skip to content

Fix oauth well-known paths to retain path and query #733

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Fix oauth well-known paths to retain path and query #733

wants to merge 4 commits into from
+8 −4

Conversation

calclavia
Copy link
Member

@calclavia calclavia commented Jul 4, 2025
edited
Loading

Motivation and Context

This change is the same as #687 but applied to the protected resource well known path as well.

This should be spec compliant, as per RFC 9728:

Different applications utilizing OAuth protected resources in application-specific ways MAY define and register different well- known URI path suffixes for publishing protected resource metadata used by those applications. For instance, if the Example application uses an OAuth protected resource in an Example-specific way and there are Example-specific metadata values that it needs to publish, then it might register and use the example-protected-resource URI path suffix and publish the metadata document at the URL formed by inserting /.well-known/example-protected-resource between the host and path and/or query components of the protected resource's resource identifier.

How Has This Been Tested?

Currently I've to hack around this by manually passing resourceMetadataUrl in auth

Breaking Changes

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

@calclavia calclavia marked this pull request as ready for review July 4, 2025 03:13
@ihrpr ihrpr added this to the auth milestone Jul 4, 2025
@calclavia
Copy link
Member Author

calclavia commented Jul 6, 2025
edited
Loading

Hey @ihrpr, I notice there's an additional issue for the previous PR: #687 - query parameters seem to be dropped. We should do as the specification says, which is simply insert .well-known after the domain, but otherwise leave the URL as-is.

Modified this PR accordingly.

@calclavia calclavia changed the title Fix oauth-protected-resource to also be path aware Fix oauth well-known paths to retain path and query Jul 6, 2025
ihrpr
ihrpr requested changes Jul 7, 2025
View reviewed changes
Copy link
Contributor

@ihrpr ihrpr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! Since we released SDK package already, would be good to maintain backwards compatibility as well (#692 example). Please can you also add some tests?

@omgitsads omgitsads mentioned this pull request Jul 9, 2025
Closed
@selcuktemizsoy
Copy link

@ihrpr @calclavia when shall we expect to release this? Various client implementation fails because of this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ihrpr ihrpr ihrpr requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
auth
Development

Successfully merging this pull request may close these issues.
3 participants
@calclavia @selcuktemizsoy @ihrpr