OAuth metadata url building should use authorization_server as base_url rather than mcp server url #762
Description
Describe the bug
When I'm trying to connect to github-mcp-server, it always raises a 403 Error. After investigating code I believe it's due to wrong base_url when building authorization server url.
To Reproduce
Steps to reproduce the behavior:
- Mcp Server url: https://api.githubcopilot.com/mcp
- Protected Resource metadata:
response from GitHub OAuth server:
{'resource_name': 'GitHub MCP Server',
'resource': 'https://api.githubcopilot.com/mcp',
'authorization_servers': ['https://github.com/login/oauth'],
'bearer_methods_supported': ['header'],
'scopes_supported': ['gist',
'notifications',
'public_repo',
'repo',
'repo:status',
'repo_deployment',
'user',
'user:email',
'user:follow',
'read:gpg_key',
'read:org']}
- Try to get OAuth metadata
Current code
const metadata = await discoverOAuthMetadata(serverUrl, {
authorizationServerUrl
});
then the built metadata well-known url is /.well-known/oauth-authorization-server/mcp which path comes from mcp server url. However the right url should be /.well-known/oauth-authorization-server/login/oauth and the path comes from authorization_servers.
Expected behavior
Build the metadata url with authorization_servers.
Additional context
I also tried python sdk and it is working. the related code is using authorization_server_url to build the metadata url.