1.21.1 breaks Jira MCP OAuth

[andruhon]

Describe the bug
After upgrading to 1.21.1 https://mcp.atlassian.com/v1/sse gives 404 when trying to open well-known urls.

To Reproduce
Steps to reproduce the behavior:
Install @modelcontextprotocol/sdk 1.21.1

import type { OAuthClientProvider } from '@modelcontextprotocol/sdk/client/auth.js';
import type {
    OAuthClientInformationFull,
    OAuthClientMetadata,
    OAuthTokens,
} from '@modelcontextprotocol/sdk/shared/auth.js';
import { auth } from '@modelcontextprotocol/sdk/client/auth.js';..
import * as crypto from 'node:crypto';

interface OAuthClientProviderConfig {
    redirectUrl: string;
    serverUrl: string;
}

interface OAuthStorageData {
    tokens?: OAuthTokens;
    codeVerifier?: string;
    clientInformation?: OAuthClientInformationFull;
}

export class OAuthClientProviderImpl implements OAuthClientProvider {
    private config: OAuthClientProviderConfig;
    private innerState: string;
    private storageCache: OAuthStorageData = {};

    constructor(config: OAuthClientProviderConfig) {
        this.config = config;
        this.innerState = crypto.randomUUID();
    }

    state(): string | Promise<string> {
        return this.innerState;
    }

    get redirectUrl() {
        return this.config.redirectUrl;
    }

    get clientMetadata(): OAuthClientMetadata {
        return {
            redirect_uris: [this.config.redirectUrl],
            client_name: 'Gaunt Sloth Assistant',
            client_uri: 'https://gaunt-sloth-assistant.github.io/',
            software_id: '1dd38b83-946b-4631-8855-66ee467bfd68',
            scope: 'mcp:read mcp:write',
            token_endpoint_auth_method: 'none',
            grant_types: ['authorization_code', 'refresh_token'],
            response_types: ['code'],
        };
    }

    saveClientInformation(clientInformation: OAuthClientInformationFull): Promise<void> {
        this.storageCache.clientInformation = clientInformation;
        return Promise.resolve();
    }

    async clientInformation(): Promise<OAuthClientInformationFull | undefined> {
        return Promise.resolve(this.storageCache.clientInformation);
    }

    async saveTokens(tokens: OAuthTokens): Promise<void> {
        this.storageCache.tokens = tokens;
    }

    tokens(): OAuthTokens | undefined {
        return this.storageCache.tokens;
    }

    saveCodeVerifier(codeVerifier: string): Promise<void> {
        this.storageCache.codeVerifier = codeVerifier;
        return Promise.resolve();
    }

    codeVerifier(): Promise<string> {
        if (!this.storageCache.codeVerifier) {
            throw new Error('No code verifier stored');
        }
        return Promise.resolve(this.storageCache.codeVerifier);
    }

    async redirectToAuthorization(authUrl: URL): Promise<void> {
        console.log('Auth url:', authUrl.toString());
    }
}

const url = "https://mcp.atlassian.com/v1/sse"

const authProvider = new OAuthClientProviderImpl({
    redirectUrl: `http://localhost:5555/oauth/callback`,
    serverUrl: url,
});

await auth(authProvider, { serverUrl: url })

Expected behavior
OAuth Roundtrip working.

Logs
ServerError: HTTP 404: Invalid OAuth error response: SyntaxError: Unexpected non-whitespace character after JSON at position 4 (line 1 column 5). Raw body: 404 Not Found

Additional context
Pinning 1.20.0 fixes the issue

[pcarleton]

👍 I believe the issue is how we're handling the well-known fallback in the legacy server situation.

Specifically, the order of operations we're following now is the draft spec:

For issuer URLs with path components (e.g., https://auth.example.com/tenant1), clients MUST try endpoints in the following priority order:

1. OAuth 2.0 Authorization Server Metadata with path insertion: https://auth.example.com/.well-known/oauth-authorization-server/tenant1
2. OpenID Connect Discovery 1.0 with path insertion: https://auth.example.com/.well-known/openid-configuration/tenant1
3. OpenID Connect Discovery 1.0 path appending: https://auth.example.com/tenant1/.well-known/openid-configuration

For issuer URLs without path components (e.g., https://auth.example.com), clients MUST try:

1. OAuth 2.0 Authorization Server Metadata: https://auth.example.com/.well-known/oauth-authorization-server
2. OpenID Connect Discovery 1.0: https://auth.example.com/.well-known/openid-configuration

That should still work with old servers, however there's a weird interaction w/ what we consider the "issuer" URL for legacy servers. We're not getting an explicit signal from legacy servers on what the issuer URL is, so the SDK needs to pick one to then go through the discovery algorithm.

Prior to 1.21.1:

• Pick server URL as issuer URL, so https://example.com/mcp
• Run discovery algorithm for path-based issuer
• Also check root

With 1.21.1:

• Pick server URL as issuer URL, so https://example.com/mcp
• Run discovery algorithm for path-based issuer
• Also check root

We'll want to fix this is by changing what we "guess" as the issuer URL to be the base URL instead of the path-based one. We will also want to make the code path more explicit that we're in a "legacy" mode, and make it optional to support the legacy mode since there will be weaker security guarantees with these setups (e.g. no resource parameter).

Separately, I'm working on conformance tests for the authz flows, and will aim to have this scenario as a backwards compatibility check.

[andruhon]

Yes, what I noticed happened is that all guessed URLs are loosing /v1/ segment. For example https://mcp.atlassian.com/v1/register becomes https://mcp.atlassian.com/register