Skip to content

feat: Add openid-configuration Auth server metadata discovery fallback #651

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: Add openid-configuration Auth server metadata discovery fallback #651

wants to merge 2 commits into from
+26 −1

Conversation

2underscores
Copy link

@2underscores 2underscores commented Jul 27, 2025
edited
Loading

Motivation and Context

Fixes deviation in auth server metadata discovery endpoints supported between MCP and OAuth spec. Adds fallback to .well-known/openid-configuration and also attempts both potential placements of .well-known/openid-configuration.

From RFC8414:

During this transition period, applications should first apply the transformation defined in this specification and attempt to retrieve the authorization server metadata from the resulting location; only if the retrieval from that location fails should they fall back to attempting to retrieve it from the alternate location obtained using the transformation defined by OpenID Connect Discovery 1.0. This backwards-compatible behavior should only be necessary when the well- known URI suffix employed by the application is "openid-configuration"

How Has This Been Tested?

Locally tested against 2 MCP servers, one an azure style metadata endpoint, the other the oauth standard endpoint.

Breaking Changes

No

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Additional context

IMO this fix actually belongs inside the discoverOAuthMetadata method at @modelcontextprotocol/sdk/client/auth.js, alongside a spec update. If preferred i can move this change over to that repo instead to fix it at underlying lib layer. Included it here as unsure why it's not actually in the core lib and wondering if i'm misunderstanding spec or it's just a gap. At least this one is forwards compatible with that (wraps that method with a fallback to openid-config if it fails)

2underscores and others added 2 commits July 27, 2025 21:02
@2underscores
feat: add OAuth 2.0/OpenID Connect metadata discovery fallback
735b2cd 
- Add support for /.well-known/openid-configuration endpoint as fallback to oauth standard .well-known/oauth-authorization-server
- Addresses GitHub discussion modelcontextprotocol#563
@2underscores
Merge branch 'main' into auth-svr-metadata-compatibility
42c362d
@2underscores
Copy link
Author

2underscores commented Jul 28, 2025
edited
Loading

Might close this, I think a proper upstream fix has just been merged to the MCP SDK but will come in next version or so - modelcontextprotocol/typescript-sdk#652

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@2underscores