fix: include transport path in protected resource metadata URL (RFC 9728 §3)#2670
Open
afischh wants to merge 1 commit into
Open
fix: include transport path in protected resource metadata URL (RFC 9728 §3)#2670afischh wants to merge 1 commit into
afischh wants to merge 1 commit into
Conversation
…728) Per RFC 9728 §3, the `resource` field in `/.well-known/oauth-protected-resource` must identify the actual protected endpoint URL — e.g. `http://localhost:8000/mcp`, not the bare server base `http://localhost:8000/`. Without the path, VS Code Copilot and other spec-compliant clients reject the server with: Protected Resource Metadata resource "http://localhost:8000/" does not match MCP server resolved resource "http://localhost:8000/mcp" Fix: append `streamable_http_path` / `sse_path` to `resource_server_url` before passing it to `create_protected_resource_routes` and `build_resource_metadata_url` in both the lowlevel and mcpserver transports. Fixes modelcontextprotocol#1264 Signed-off-by: Alex Fisch <afischh@gmail.com> Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Fixes #1264.
The
resourcefield in/.well-known/oauth-protected-resourceis supposed to identify the protected resource server as defined in RFC 9728 §2:When a server mounts its MCP transport at a path (e.g.
/mcpor/sse), theresourcefield must include that path —https://example.com/mcp, not justhttps://example.com.Before this fix, both
StreamableHTTPServerTransportand the SSE server always used the bareresource_server_url(without the transport path), so the metadata URL was derived incorrectly.Root cause
build_protected_resource_metadata_urlstrips the path from the resource URL and reconstructs/.well-known/oauth-protected-resource/<path>. When the resource URL lacks the transport path, the well-known URL is wrong and RFC 9728 §3 lookup fails for path-mounted servers.Fix
In both
lowlevel/server.py(StreamableHTTP) andmcpserver/server.py(SSE), computeactual_resource_urlby appending the transport path toresource_server_urlbefore passing it tobuild_protected_resource_metadata_urland embedding it in the metadata:Tests
test_resource_url_includes_transport_path— parametrized unit test: verifies correctresourcevalue and correct metadata URL for/mcp, trailing-slash base URL +/mcp, and/ssetransport pathstest_protected_resource_metadata_contains_transport_path— async integration test using a realTestClient