Fix `/.well-known/oauth-authorization-server` dropping path by ihrpr · Pull Request #1014

Fix `/.well-known/oauth-authorization-server` dropping path by ihrpr · Pull Request #1014 · modelcontextprotocol/python-sdk

Copy link Copy Markdown

Contributor

As identified in modelcontextprotocol/typescript-sdk#687 we need fix it in Python SDK as well

Fixed OAuth discovery URL construction to comply with RFC 8414 by preserving path components. Previously, /.well-known/oauth-authorization-server discovery was dropping the path portion of authorization server URLs (e.g.,
https://example.com/path/mcp became https://example.com/.well-known/... instead of https://example.com/.well-known/.../path/mcp).

This fix enables operation with auth servers hosted at subpaths, matching the same issue recently fixed in the TypeScript SDK.

Fallback for backwards compatibility:

If path-aware discovery returns 404, automatically retries at root: https://example.com/.well-known/oauth-authorization-server
No fallback for root paths (/) to avoid unnecessary requests
No fallback for non-404 errors to preserve error semantics