Skip to content

Fix building auth metadata paths #779

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Fix building auth metadata paths #779

wants to merge 5 commits into from

Conversation

Rodriguespn
Copy link

@Rodriguespn Rodriguespn commented May 22, 2025
edited
Loading

Summary

Fixes OAuth endpoint URL construction to always join paths correctly, preventing missing or double slashes regardless of the issuer URL format. Removes unnecessary use of lstrip("/"), which caused endpoints like $MY_ISSUERauthorize instead of the expected $MY_ISSUER/authorize.

Motivation and Context

The output of /.well-known/oauth-authorization-server was incorrect when the issuer URL included a path or when using URLs like http://localhost:8000.

Expected:

"authorization_endpoint": "https://example.com/authorize"

Actual:

"authorization_endpoint": "https://example.comauthorize"

This was due to the use of lstrip("/") when joining paths, which strips the leading slash and results in malformed URLs.

Note:
There is already PR #770 attempting to address this, but it does not handle all cases (e.g., URLs like http://localhost:8000 or issuer URLs with existing paths).

How Has This Been Tested?

Tested with various issuer URLs, including:

Screenshot 2025-05-23 at 15 36 46

Verified the output of:

curl http://my-mcp-server/.well-known/oauth-authorization-server

Example output:

{
  "issuer": "https://example.com",
  "authorization_endpoint": "https://example.com/authorize",
  "token_endpoint": "https://example.com/token",
  "registration_endpoint": "https://example.com/register",
  "revocation_endpoint": "https://example.com/revoke"
}

All endpoints are now correctly formed, with no missing or double slashes.

Breaking Changes

No breaking changes

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

Related PRs

@hongkunyoo @pcarleton @Kludex

@Rodriguespn Rodriguespn mentioned this pull request May 22, 2025
Closed
9 tasks
@Kludex
Copy link
Member

Kludex commented May 22, 2025

urllib.parse.urljoin should be enough

@ihrpr ihrpr added this to the auth-spec milestone May 23, 2025
@Rodriguespn
Copy link
Author

Rodriguespn commented May 23, 2025
edited
Loading

urllib.parse.urljoin should be enough

Thank you for the suggestion @Kludex. Refactored the append_path function to include urllib.parse.urljoin and reduce it to 3 lines to cover all use cases in the PR description

Kludex
Kludex reviewed May 24, 2025
View reviewed changes
src/mcp/server/auth/routes.py
)
token_url = modify_url_path(issuer_url, lambda path: append_path(path, TOKEN_PATH))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can delete this modify_url_path tho. str(issuer_url) should work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Kludex Kludex Kludex left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
auth-spec
Development

Successfully merging this pull request may close these issues.
3 participants
@Rodriguespn @Kludex @ihrpr