Fix `/.well-known/oauth-authorization-server` dropping path by ihrpr · Pull Request #1014 · modelcontextprotocol/python-sdk
Copy link Copy Markdown
Contributor
As identified in modelcontextprotocol/typescript-sdk#687 we need fix it in Python SDK as well
Fixed OAuth discovery URL construction to comply with RFC 8414 by preserving path components. Previously, /.well-known/oauth-authorization-server discovery was dropping the path portion of authorization server URLs (e.g.,
https://example.com/path/mcp became https://example.com/.well-known/... instead of https://example.com/.well-known/.../path/mcp).
This fix enables operation with auth servers hosted at subpaths, matching the same issue recently fixed in the TypeScript SDK.
Fallback for backwards compatibility:
- If path-aware discovery returns 404, automatically retries at root: https://example.com/.well-known/oauth-authorization-server
- No fallback for root paths (/) to avoid unnecessary requests
- No fallback for non-404 errors to preserve error semantics