Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

The resource URL path is ignored when building the protected resource metadata URL #1052

New issue
Copy link
New issue
Copy link
Open
Open
The resource URL path is ignored when building the protected resource metadata URL#1052
Copy link
Labels
P3Nice to haves, rare edge casesNice to haves, rare edge casesauthIssues and PRs related to Authentication / OAuthIssues and PRs related to Authentication / OAuthquestionFurther information is requestedFurther information is requestedready for workEnough information for someone to start working onEnough information for someone to start working on
@yurikunash

Description

@yurikunash
yurikunash
opened on Jun 28, 2025
Issue body actions

Initial Checks

Description

The current MCP Server implementation appears to use a fixed URL pattern [domain]/.well-known/oauth-protected-resource for the protected resource URL. After reviewing RFC9728, I believe this doesn't fully align with the specification's requirements.

Expected behavior:
If the resource URL is https://resource.example.com/resource1, the protected resource metadata URL to be https://resource.example.com/.well-known/oauth-protected-resource/resource1

Current behavior:
If the resource URL is https://resource.example.com/resource1, the protected resource metadata URL to be https://resource.example.com/.well-known/oauth-protected-resource

Link to the source code:

python-sdk/src/mcp/server/auth/routes.py

Line 219 in 7942184

"/.well-known/oauth-protected-resource", 

return [
        Route(
            "/.well-known/oauth-protected-resource",
            endpoint=cors_middleware(handler.handle, ["GET", "OPTIONS"]),
            methods=["GET", "OPTIONS"],
        )
    ]

RFC 9728

Protected resources supporting metadata MUST make a JSON document containing metadata as specified in Section 2 available at a URL formed by inserting a well-known URI string into the protected resource's resource identifier between the host component and the path and/or query components, if any.
...
The consumer of the metadata would make the following request when the resource identifier is https://resource.example.com/resource1 and the well-known URI path suffix is oauth-protected-resource to obtain the metadata, since the resource identifier contains a path component:

GET /.well-known/oauth-protected-resource/resource1 HTTP/1.1
Host: resource.example.com

As the RFC correctly states:

Using path components enables supporting multiple resources per host. This is required in some multi-tenant hosting configurations.

which is difficult to achieve with the current implementation.

Example Code



Python & MCP Python SDK


Latest version

Reactions are currently unavailable
Metadata
Metadata
Assignees
No one assigned
    Labels
    P3Nice to haves, rare edge casesNice to haves, rare edge casesauthIssues and PRs related to Authentication / OAuthIssues and PRs related to Authentication / OAuthquestionFurther information is requestedFurther information is requestedready for workEnough information for someone to start working onEnough information for someone to start working on
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions
      
      
      




  
      

      

    
      
  
      

  
      

          



    




  

    

    

    





    
      
    
      
    
      
  


      
  
      
    
    Morty Proxy
    
    This is a proxified and sanitized view of the page, visit original site.