Skip to content

Broaden authorization server discovery to include OIDC fallbacks #1786

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sonmaximum wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Broaden authorization server discovery to include OIDC fallbacks #1786

sonmaximum wants to merge 2 commits into from
+98 −36

Conversation

@sonmaximum
Copy link

@sonmaximum sonmaximum commented Dec 14, 2025

Summary

Extend build_oauth_authorization_server_metadata_discovery_urls so that the MCP client always probes both OAuth and OpenID discovery endpoints, with path-aware variants and deduplication. This lets the client interoperate with authorization servers that only expose /.well-known/openid-configuration.

Change Details

  • Use auth_server_url or server_url as a single source of truth, so we always consider the configured base when no metadata URL is advertised.
  • Populate discovery attempts with:
    • Path-aware OAuth metadata
    • Path-aware OIDC metadata (/.well-known/openid-configuration{path})
    • Nested-path OIDC ({path}/.well-known/openid-configuration)
    • Root-level OAuth and OIDC fallbacks
  • Deduplicate the list to avoid redundant fetches when different branches yield the same URL.

Motivation and Context

  • Some IdPs only publish OIDC discovery. Without trying those endpoints, the OAuth flow fails even though the IdP is spec compliant.
  • RFC 8414 explicitly recommends path-aware fallbacks for both OAuth and OIDC discovery; the existing implementation only covers part of that matrix.
  • Deduping avoids duplicated network calls with path == "/" or when config already points at a well-known URL.

How Has This Been Tested?

  • Verified URL list generation manually for:
    • No resource_metadata, base URL https://idp.example.com -> probes both OAuth and OIDC root well-known endpoints.
    • Path-based auth_server_url like https://idp.example.com/tenantA -> probes path-aware OAuth/OIDC endpoints plus root fallbacks without duplicates.
  • Updated existing tests with updated behavior and added new tests to covered broadened case coverage. Ensured pytest tests pass.

Types of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
    (either depending on perspective?)

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

See related issue #1785

@sonmaximum sonmaximum mentioned this pull request Dec 14, 2025
Open
@sonmaximum sonmaximum changed the title Maxj/feature/extend oauth auth url discovery Broaden authorization server discovery to include OIDC fallbacks Dec 14, 2025
@maxisbey maxisbey added auth Issues and PRs related to Authentication / OAuth P2 Moderate issues affecting some users, edge cases, potentially valuable feature labels Dec 15, 2025
@maxisbey maxisbey requested a review from pcarleton December 15, 2025 10:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pcarleton pcarleton Awaiting requested review from pcarleton

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

auth Issues and PRs related to Authentication / OAuth P2 Moderate issues affecting some users, edge cases, potentially valuable feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sonmaximum @maxisbey