make issuer_url auth server and add resource_server_url param

ihrpr · ihrpr · commit 53431b83b3aa · 2025-06-23T12:52:08.000+01:00
diff --git a/README.md b/README.md
@@ -444,7 +444,8 @@ mcp = FastMCP(
     "My App",
     token_verifier=MyTokenVerifier(),
     auth=AuthSettings(
-        authorization_servers=["https://auth.example.com"],
+        issuer_url="https://auth.example.com"
+        resource_server_url="http://localhost:3001",
         required_scopes=["mcp:read", "mcp:write"],
     ),
 )
diff --git a/examples/servers/simple-auth/mcp_simple_auth/auth_server.py b/examples/servers/simple-auth/mcp_simple_auth/auth_server.py
@@ -68,7 +68,7 @@ def create_authorization_server(server_settings: AuthServerSettings, github_sett
             default_scopes=[github_settings.mcp_scope],
         ),
         required_scopes=[github_settings.mcp_scope],
-        authorization_servers=None,
+        resource_server_url=None,
     )
 
     # Create OAuth routes
diff --git a/examples/servers/simple-auth/mcp_simple_auth/legacy_as_server.py b/examples/servers/simple-auth/mcp_simple_auth/legacy_as_server.py
@@ -59,8 +59,8 @@ def create_simple_mcp_server(server_settings: ServerSettings, github_settings: G
             default_scopes=[github_settings.mcp_scope],
         ),
         required_scopes=[github_settings.mcp_scope],
-        # No authorization_servers parameter in legacy mode
-        authorization_servers=None,
+        # No resource_server_url parameter in legacy mode
+        resource_server_url=None,
     )
 
     app = FastMCP(
diff --git a/examples/servers/simple-auth/mcp_simple_auth/server.py b/examples/servers/simple-auth/mcp_simple_auth/server.py
@@ -70,9 +70,9 @@ def create_resource_server(settings: ResourceServerSettings) -> FastMCP:
         # Auth configuration for RS mode
         token_verifier=token_verifier,
         auth=AuthSettings(
-            issuer_url=settings.server_url,
+            issuer_url=settings.auth_server_url,
             required_scopes=[settings.mcp_scope],
-            authorization_servers=[settings.auth_server_url],
+            resource_server_url=settings.server_url,
         ),
     )
 
diff --git a/src/mcp/server/auth/settings.py b/src/mcp/server/auth/settings.py
@@ -15,15 +15,15 @@ class RevocationOptions(BaseModel):
 class AuthSettings(BaseModel):
     issuer_url: AnyHttpUrl = Field(
         ...,
-        description="Base URL where this server is reachable. For AS: OAuth issuer URL. For RS: Resource server URL.",
+        description="OAuth authorization server URL that issues tokens for this resource server.",
     )
     service_documentation_url: AnyHttpUrl | None = None
     client_registration_options: ClientRegistrationOptions | None = None
     revocation_options: RevocationOptions | None = None
     required_scopes: list[str] | None = None
 
     # Resource Server settings (when operating as RS only)
-    authorization_servers: list[AnyHttpUrl] | None = Field(
-        None,
-        description="Authorization servers that can issue tokens for this resource (RS mode)",
+    resource_server_url: AnyHttpUrl | None = Field(
+        ...,
+        description="OAuth authorization server URL that issues tokens for this resource server.",
     )
diff --git a/src/mcp/server/fastmcp/server.py b/src/mcp/server/fastmcp/server.py
@@ -743,11 +743,11 @@ async def handle_sse(scope: Scope, receive: Receive, send: Send):
         if self._token_verifier:
             # Determine resource metadata URL
             resource_metadata_url = None
-            if self.settings.auth and self.settings.auth.authorization_servers:
+            if self.settings.auth and self.settings.auth.resource_server_url:
                 from pydantic import AnyHttpUrl
 
                 resource_metadata_url = AnyHttpUrl(
-                    str(self.settings.auth.issuer_url).rstrip("/") + "/.well-known/oauth-protected-resource"
+                    str(self.settings.auth.resource_server_url).rstrip("/") + "/.well-known/oauth-protected-resource"
                 )
 
             # Auth is enabled, wrap the endpoints with RequireAuthMiddleware
@@ -785,13 +785,13 @@ async def sse_endpoint(request: Request) -> Response:
                 )
             )
         # Add protected resource metadata endpoint if configured as RS
-        if self.settings.auth and self.settings.auth.authorization_servers:
+        if self.settings.auth and self.settings.auth.resource_server_url:
             from mcp.server.auth.routes import create_protected_resource_routes
 
             routes.extend(
                 create_protected_resource_routes(
-                    resource_url=self.settings.auth.issuer_url,
-                    authorization_servers=self.settings.auth.authorization_servers,
+                    resource_url=self.settings.auth.resource_server_url,
+                    authorization_servers=[self.settings.auth.issuer_url],
                     scopes_supported=self.settings.auth.required_scopes,
                 )
             )
@@ -858,11 +858,11 @@ async def handle_streamable_http(scope: Scope, receive: Receive, send: Send) ->
         if self._token_verifier:
             # Determine resource metadata URL
             resource_metadata_url = None
-            if self.settings.auth and self.settings.auth.authorization_servers:
+            if self.settings.auth and self.settings.auth.resource_server_url:
                 from pydantic import AnyHttpUrl
 
                 resource_metadata_url = AnyHttpUrl(
-                    str(self.settings.auth.issuer_url).rstrip("/") + "/.well-known/oauth-protected-resource"
+                    str(self.settings.auth.resource_server_url).rstrip("/") + "/.well-known/oauth-protected-resource"
                 )
 
             routes.append(
@@ -881,14 +881,14 @@ async def handle_streamable_http(scope: Scope, receive: Receive, send: Send) ->
             )
 
         # Add protected resource metadata endpoint if configured as RS
-        if self.settings.auth and self.settings.auth.authorization_servers:
+        if self.settings.auth and self.settings.auth.resource_server_url:
             from mcp.server.auth.handlers.metadata import ProtectedResourceMetadataHandler
             from mcp.server.auth.routes import cors_middleware
             from mcp.shared.auth import ProtectedResourceMetadata
 
             protected_resource_metadata = ProtectedResourceMetadata(
-                resource=self.settings.auth.issuer_url,
-                authorization_servers=self.settings.auth.authorization_servers,
+                resource=self.settings.auth.resource_server_url,
+                authorization_servers=[self.settings.auth.issuer_url],
                 scopes_supported=self.settings.auth.required_scopes,
             )
             routes.append(

Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@ def create_authorization_server(server_settings: AuthServerSettings, github_sett`
`68`	`68`	`default_scopes=[github_settings.mcp_scope],`
`69`	`69`	`),`
`70`	`70`	`required_scopes=[github_settings.mcp_scope],`
`71`		`- authorization_servers=None,`
	`71`	`+ resource_server_url=None,`
`72`	`72`	`)`
`73`	`73`
`74`	`74`	`# Create OAuth routes`