Discover OIDC-only authorization servers when PR metadata is absent #1785
Description
Description
Summary
The client only discovers authorization servers that expose RFC 8414 OAuth metadata when no resource_metadata link is present. In the no-metadata case the code currently stops after probing /.well-known/oauth-authorization-server and never tries /.well-known/openid-configuration, so OIDC-only providers fail to authenticate.
Details
- Relevant code in method
build_oauth_authorization_server_metadata_discovery_urlsin filesrc/mcp/client/auth/utils.py - When
auth_server_urlis missing the funtcion builds a single URL (/.well-known/oauth-authorization-server) derived from the MCP server's origin. - The fallback that probes
/.well-known/openid-configurationonly executes whenauthorization_server_urlexists and has a path component, so most deployments without RFC 9728 metadata cannot reach OIDC discovery, even if they have valid urls existing.
Steps to Reproduce
- Configure the MCP client to talk to a protected resource that does not emit
resource_metadatainWWW-Authenticate. - Ensure the linked authorization server only publishes
/.well-known/openid-configuration(no OAuth metadata document). - Run the client: discovery fails immediately because the only attempted URL is
/.well-known/oauth-authorization-server.
Expected
The client should probe both OAuth and OIDC well-known endpoints (including path-aware variants) regardless of whether the URL came from protected-resource metadata or static config.
Actual
Only the OAuth well-known endpoind is checked, so OIDC-only servers cannot be discovered and authentication stops.
Impact
MCP servers that rely on an OpenID Provider without RFC 8414 metadata (which is allowed by the OpenID spec) are inaccessible with the current library.
References
No response