Fix OAuth: use authorization_servers URL from resource metadata for scope discovery#1133
Open
Fix OAuth: use authorization_servers URL from resource metadata for scope discovery#1133
Conversation
…uth server discovery The discoverScopes function always used the MCP server URL to discover authorization server metadata, ignoring the authorization_servers field from the protected resource metadata. This caused failures when the authorization server is on a different domain than the MCP server. Now checks resourceMetadata.authorization_servers for a URL to use, falling back to the MCP server URL when not available. Fixes #675 Co-authored-by: cliffhall <871933+cliffhall@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Investigate OAuth issue in inspector code
Fix OAuth: use authorization_servers URL from resource metadata for scope discovery
Mar 8, 2026
cliffhall
requested review from
BobDickinson,
KKonstantinov,
olaservo and
pcarleton
and removed request for
KKonstantinov
This was referenced Mar 8, 2026
cliffhall
approved these changes
Mar 9, 2026
Member
There was a problem hiding this comment.
@BobDickinson @olaservo Note, this is what we're doing in oauth-state-machine.ts. It is just wrong that we're doing this in two places, V2 should be more unified on this front.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
discoverScopesalways used the MCP server URL for authorization server metadata discovery, ignoringauthorization_serversfrom the protected resource metadata. This breaks OAuth when the auth server is on a different domain than the MCP server (Keycloak, Entra ID, etc.).Fixes #675
Type of Change
Changes Made
The
oauth-state-machine.tsmetadata_discovery step already correctly extractsauthorization_servers[0]from resource metadata. ButdiscoverScopesinauth.ts—called from both the debug and normal OAuth flows—hardcodednew URL("/", serverUrl)as the discovery target.Related Issues
Addresses the issue where Inspector ignores
authorization_serversfrom protected resource metadata during scope discovery, per MCP spec Section 4.3.Testing
Test Results and/or Instructions
Added 3 test cases to
auth.test.ts:authorization_serversURL from resource metadata for discovery (different domain)authorization_serversURL (e.g./realms/my-realm/)serverUrlwhenauthorization_serversis emptyAll 490 tests pass.
Checklist
npm run prettier-fix)Breaking Changes
None.
Additional Context
None.