Skip to content

feat: Add openid-configuration Auth server metadata discovery fallback#651

Closed
2underscores wants to merge 2 commits intomodelcontextprotocol:mainfrom
2underscores:auth-svr-metadata-compatibility
Closed

feat: Add openid-configuration Auth server metadata discovery fallback#651
2underscores wants to merge 2 commits intomodelcontextprotocol:mainfrom
2underscores:auth-svr-metadata-compatibility

Conversation

@2underscores
Copy link
Contributor

@2underscores 2underscores commented Jul 27, 2025
edited
Loading

Motivation and Context

Fixes deviation in auth server metadata discovery endpoints supported between MCP and OAuth spec. Adds fallback to .well-known/openid-configuration and also attempts both potential placements of .well-known/openid-configuration.

From RFC8414:

During this transition period, applications should first apply the transformation defined in this specification and attempt to retrieve the authorization server metadata from the resulting location; only if the retrieval from that location fails should they fall back to attempting to retrieve it from the alternate location obtained using the transformation defined by OpenID Connect Discovery 1.0. This backwards-compatible behavior should only be necessary when the well- known URI suffix employed by the application is "openid-configuration"

How Has This Been Tested?

Locally tested against 2 MCP servers, one an azure style metadata endpoint, the other the oauth standard endpoint.

Breaking Changes

No

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Additional context

IMO this fix actually belongs inside the discoverOAuthMetadata method at @modelcontextprotocol/sdk/client/auth.js, alongside a spec update. If preferred i can move this change over to that repo instead to fix it at underlying lib layer. Included it here as unsure why it's not actually in the core lib and wondering if i'm misunderstanding spec or it's just a gap. At least this one is forwards compatible with that (wraps that method with a fallback to openid-config if it fails)

2underscores and others added 2 commits July 27, 2025 21:02
@2underscores
feat: add OAuth 2.0/OpenID Connect metadata discovery fallback
735b2cd 
- Add support for /.well-known/openid-configuration endpoint as fallback to oauth standard .well-known/oauth-authorization-server
- Addresses GitHub discussion modelcontextprotocol#563
@2underscores
Merge branch 'main' into auth-svr-metadata-compatibility
42c362d
@2underscores
Copy link
Contributor Author

2underscores commented Jul 28, 2025
edited
Loading

Might close this, I think a proper upstream fix has just been merged to the MCP SDK but will come in next version or so - modelcontextprotocol/typescript-sdk#652

@2underscores 2underscores mentioned this pull request Aug 6, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@2underscores