Fix RFC 9728 resource_metadata URL construction to handle trailing slashes #2202
Description
Problem
The buildWWWAuthenticate function in pkg/auth/token.go constructs the resource_metadata URL according to RFC 9728 Section 3.1 by inserting /.well-known/oauth-protected-resource between the host and path components. However, it doesn't correctly handle the case where the resource URL has a trailing slash.
RFC 9728 Section 3.1 Requirement
"Any terminating slash after the host must be removed before inserting the well-known URI"
Bug
When resourceURL is http://localhost:8080/ (note the trailing slash):
- Current behavior:
http://localhost:8080/.well-known/oauth-protected-resource/❌ (incorrect - has trailing slash) - Expected behavior:
http://localhost:8080/.well-known/oauth-protected-resource✅ (correct - no trailing slash)
Root Cause
The code directly uses parsedURL.Path without checking if it equals "/". When a URL like http://localhost:8080/ is parsed, the path component is "/", which gets appended to the well-known URI, resulting in an unwanted trailing slash.
Impact
This violates RFC 9728 and could cause OAuth clients to fail when discovering resource metadata for servers with trailing slashes in their resource URLs.
Examples
| Resource URL | Current Output | Expected Output |
|---|---|---|
http://localhost:8080 |
✅ .../oauth-protected-resource |
✅ .../oauth-protected-resource |
http://localhost:8080/ |
❌ .../oauth-protected-resource/ |
✅ .../oauth-protected-resource |
http://localhost:8080/mcp |
✅ .../oauth-protected-resource/mcp |
✅ .../oauth-protected-resource/mcp |
Solution
Add a check to remove the terminating slash when path == "/":
// Per RFC 9728 Section 3.1, remove any terminating slash from path
path := parsedURL.Path
if path == "/" {
path = ""
}Related
- Introduced in commit 0e7e6761 (or 26b7503 on main branch)
- RFC 9728: https://www.rfc-editor.org/rfc/rfc9728.html#section-3.1