Skip to content

Workaround patch for root path OAuth discovery in MCP SDK#689

Merged
mattzcarey merged 2 commits intomainfrom
fix-mcp-patch
Nov 28, 2025
Merged

Workaround patch for root path OAuth discovery in MCP SDK#689
mattzcarey merged 2 commits intomainfrom
fix-mcp-patch

Conversation

@mattzcarey
Copy link
Copy Markdown
Contributor

@mattzcarey mattzcarey commented Nov 28, 2025
edited
Loading

Add fallback to try root path (/.well-known/oauth-authorization-server) when path-based OAuth discovery fails. This handles cases where MCP servers provide an endpoint path instead of the issuer URL in authorization_servers, which violates RFC 9470 but occurs in practice.

fixes: #686

Screenshot 2025-11-28 at 19 21 05

@mattzcarey
fix: add root path fallback for OAuth discovery in MCP SDK patch
640dc24 
Add fallback to try root path (/.well-known/oauth-authorization-server) when path-based OAuth discovery fails. This handles cases where MCP servers provide an endpoint path instead of the issuer URL in authorization_servers, which violates RFC 9470 but occurs in practice.
@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Nov 28, 2025
edited
Loading

🦋 Changeset detected

Latest commit: db6bbf3

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
agents Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@claude
Copy link
Copy Markdown

claude bot commented Nov 28, 2025
edited
Loading

Claude Code Review

Status: Approved

This PR adds a pragmatic workaround for OAuth discovery with MCP servers that violate RFC 9470 by providing endpoint paths instead of issuer URLs in authorization_servers.

Summary

The patch adds a fallback to try /.well-known/oauth-authorization-server at the root domain when path-based discovery fails. This fixes connection issues with better-auth powered servers (Prisma, Green Tea) that were breaking due to 404s during auth probes.

Issues Identified

1. Missing test coverage

The patch modifies buildDiscoveryUrls() but there are no tests validating:

  • The new root path fallback is tried when other discovery URLs fail
  • The fallback order is correct
  • It handles the better-auth case specifically

Recommendation: Add tests in packages/agents/src/tests/mcp/oauth2-mcp-client.test.ts to verify the fallback behavior works correctly.

2. Potential ordering concern

The root path fallback is added after all other discovery attempts. Consider whether this is optimal - if better-auth servers consistently fail on path-based discovery, trying root first might be more efficient. However, the current order is safer for RFC-compliant servers.

Minor Notes

  • The duplicate patch application (ESM + CJS) is correct and necessary
  • Comment clearly explains the RFC violation context
  • Changeset properly documents the patch scope

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new bot commented Nov 28, 2025
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/cloudflare/agents@689

commit: db6bbf3

@whoiskatrin whoiskatrin self-requested a review November 28, 2025 20:16
@mattzcarey mattzcarey merged commit 64a6ac3 into main Nov 28, 2025
6 checks passed
@mattzcarey mattzcarey deleted the fix-mcp-patch branch November 28, 2025 20:17
@github-actions github-actions bot mentioned this pull request Nov 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@whoiskatrin whoiskatrin whoiskatrin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Certain authenticated MCP Servers stopped working due to 404 during mcp client sdk auth probe

2 participants

@mattzcarey @whoiskatrin