Skip to content

Broaden authorization server discovery to include OIDC fallbacks#1786

Closed
sonmaximum wants to merge 3 commits intomodelcontextprotocol:mainfrom
sonmaximum:maxj/feature/extend_oauth_auth_url_discovery
Closed

Broaden authorization server discovery to include OIDC fallbacks#1786
sonmaximum wants to merge 3 commits intomodelcontextprotocol:mainfrom
sonmaximum:maxj/feature/extend_oauth_auth_url_discovery

Conversation

@sonmaximum
Copy link

@sonmaximum sonmaximum commented Dec 14, 2025

Summary

Extend build_oauth_authorization_server_metadata_discovery_urls so that the MCP client always probes both OAuth and OpenID discovery endpoints, with path-aware variants and deduplication. This lets the client interoperate with authorization servers that only expose /.well-known/openid-configuration.

Change Details

  • Use auth_server_url or server_url as a single source of truth, so we always consider the configured base when no metadata URL is advertised.
  • Populate discovery attempts with:
    • Path-aware OAuth metadata
    • Path-aware OIDC metadata (/.well-known/openid-configuration{path})
    • Nested-path OIDC ({path}/.well-known/openid-configuration)
    • Root-level OAuth and OIDC fallbacks
  • Deduplicate the list to avoid redundant fetches when different branches yield the same URL.

Motivation and Context

  • Some IdPs only publish OIDC discovery. Without trying those endpoints, the OAuth flow fails even though the IdP is spec compliant.
  • RFC 8414 explicitly recommends path-aware fallbacks for both OAuth and OIDC discovery; the existing implementation only covers part of that matrix.
  • Deduping avoids duplicated network calls with path == "/" or when config already points at a well-known URL.

How Has This Been Tested?

  • Verified URL list generation manually for:
    • No resource_metadata, base URL https://idp.example.com -> probes both OAuth and OIDC root well-known endpoints.
    • Path-based auth_server_url like https://idp.example.com/tenantA -> probes path-aware OAuth/OIDC endpoints plus root fallbacks without duplicates.
  • Updated existing tests with updated behavior and added new tests to covered broadened case coverage. Ensured pytest tests pass.

Types of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
    (either depending on perspective?)

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

See related issue #1785

@sonmaximum sonmaximum mentioned this pull request Dec 14, 2025
Open
@sonmaximum sonmaximum changed the title Maxj/feature/extend oauth auth url discovery Broaden authorization server discovery to include OIDC fallbacks Dec 14, 2025
@maxisbey maxisbey added auth Issues and PRs related to Authentication / OAuth P2 Moderate issues affecting some users, edge cases, potentially valuable feature labels Dec 15, 2025
@maxisbey maxisbey requested a review from pcarleton December 15, 2025 10:54
@pcarleton
Copy link
Member

pcarleton commented Jan 5, 2026

see comment:
#1785 (comment)

@pcarleton pcarleton closed this Jan 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pcarleton pcarleton Awaiting requested review from pcarleton

Assignees

No one assigned

Labels

auth Issues and PRs related to Authentication / OAuth P2 Moderate issues affecting some users, edge cases, potentially valuable feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sonmaximum @pcarleton @maxisbey