Skip to content

Support Authorization Server Metadata with path insertion and endpoints on subpaths #1095

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Support Authorization Server Metadata with path insertion and endpoints on subpaths #1095

wants to merge 1 commit into from
+37 −10

Conversation

@wille
Copy link

@wille wille commented Nov 11, 2025
edited
Loading

Motivation and Context

Fixes #167

This PR adds support for Authorization Server Metadata with path insertion and endpoints on subpaths

One might not want to run their authorization server on the root of their domain (like https://api.example.com) but instead run it on a path (https://api.example.com/oauth)

How Has This Been Tested?

  • A unit test was added
  • The example simpleOAuthClient.ts now works properly with the DEFAULT_SERVER_URL (http://localhost:3000/mcp) if testing on a mcpAuthRouter

Breaking Changes

If the user has configured their mcpAuthRouter with a issuerUrl or baseUrl that contains a path (like https://localhost/path), endpoints will now be setup at https://localhost/path/authorize instead of https://localhost/authorize like it works right now, even if the user has set a path.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

I used https://modelcontextprotocol.io/specification/draft/basic/authorization#authorization-server-metadata-discovery as a reference along with my observations of my own implementation of the MCP OAuth spec

@wille wille requested a review from a team as a code owner November 11, 2025 00:10
@wille wille force-pushed the issuer-url-path-components branch from ab882cd to 98e9fa1 Compare November 11, 2025 00:10
@pkg-pr-new
Copy link

pkg-pr-new bot commented Nov 11, 2025
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/sdk@1095

commit: 117fc07

@wille wille force-pushed the issuer-url-path-components branch from 98e9fa1 to 6c04e79 Compare November 11, 2025 00:12
@wille wille force-pushed the issuer-url-path-components branch from 6c04e79 to 117fc07 Compare November 11, 2025 00:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Using the built in auth router, the issuer URL is not fully utilized for the authorization endpoint

1 participant

@wille