fix(client): align displayed OAuth metadata URL with the fetched URL (#1166)#1253
Open
MukundaKatta wants to merge 1 commit intomodelcontextprotocol:mainfrom
Open
fix(client): align displayed OAuth metadata URL with the fetched URL (#1166)#1253MukundaKatta wants to merge 1 commit intomodelcontextprotocol:mainfrom
MukundaKatta wants to merge 1 commit intomodelcontextprotocol:mainfrom
Conversation
…odelcontextprotocol#1166) The Metadata Discovery panel rendered the base `/.well-known/oauth-protected-resource` URL even when the MCP TypeScript SDK actually fetched the path-aware variant (e.g. `/.well-known/oauth-protected-resource/mcp` for an MCP server URL like `https://staging.mcp.cloudflare.com/mcp`). This caused the displayed source URL to disagree with the metadata body shown right below it, making OAuth debugging confusing. Mirror the SDK's path-aware discovery in a new `getProtectedResourceMetadataDiscoveryUrl` helper (a sibling to the existing `getAuthorizationServerMetadataDiscoveryUrl`) and use it in `OAuthFlowProgress` so the displayed URL matches the URL that is actually requested. Fixes modelcontextprotocol#1166
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #1166.
The OAuth Metadata Discovery panel showed the base
/.well-known/oauth-protected-resourceURL as the source of the resource metadata, but the MCP TypeScript SDK actually fetches the path-aware variant first (e.g./.well-known/oauth-protected-resource/mcpfor an MCP server URL likehttps://staging.mcp.cloudflare.com/mcp). The displayed source URL therefore disagreed with the metadata body shown right below it, which is confusing when debugging OAuth.This change mirrors the SDK's path-aware discovery in a new
getProtectedResourceMetadataDiscoveryUrlhelper (a sibling of the existinggetAuthorizationServerMetadataDiscoveryUrl) and uses it inOAuthFlowProgress.tsxso the displayed URL matches the URL that is actually requested.Behavior
For
serverUrl = https://staging.mcp.cloudflare.com/mcp:https://staging.mcp.cloudflare.com/.well-known/oauth-protected-resource, but the displayed body was actually fetched from.../oauth-protected-resource/mcp.https://staging.mcp.cloudflare.com/.well-known/oauth-protected-resource/mcp, matching the SDK's path-aware request.For
serverUrl = https://example.com(no path), the displayed URL is unchanged.Notes
Test plan
getProtectedResourceMetadataDiscoveryUrlcovering root, sub-path, and trailing-slash inputs.npm run dev, point Inspector at an MCP server with a non-root path (e.g.https://staging.mcp.cloudflare.com/mcp), open the Metadata Discovery panel, confirm the displayed source URL matches the request the SDK actually makes.