fix(auth): strip trailing slashes from OAuth metadata URLs#3013
fix(auth): strip trailing slashes from OAuth metadata URLs#3013piyushbag wants to merge 5 commits into
Conversation
There was a problem hiding this comment.
All reported issues were addressed across 3 files
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
a591757 to
c65b029
Compare
|
Rebased onto current Local: targeted auth route and metadata tests pass. |
|
CI failures were issuer string mismatches after the metadata slash strip ( Aligned the interaction auth fixtures and assertions with the canonical slash-free issuer. Local: full |
Pydantic AnyHttpUrl adds a trailing slash to bare hostnames, which breaks RFC 8414/9728 exact issuer and resource comparison during OAuth discovery. Pass canonical URL strings into metadata models so served wire JSON omits the synthetic root slash. Fixes modelcontextprotocol#1919 and modelcontextprotocol#1265.
Update docs, stories, and tests that asserted trailing slashes on root issuer and authorization_server metadata fields after the routes.py fix.
Remove the Pydantic AnyUrl xfail now that routes.strip trailing slashes, and assert issuer against the canonical form.
build_metadata now serves path-less issuers without a trailing slash. Update authorize iss defaults, PRM/ASM overrides, and assertions so RFC 9207 string compares match the canonical metadata form.
Keep path-based issuer/resource/authorization_server identifiers intact so exact-string matching still works. Root URLs still drop the synthetic slash added by AnyHttpUrl.
46006a4 to
9801940
Compare
|
Rebased onto current Identifier fields ( Endpoint path joining still uses Local: 28 auth route / protected-resource tests passed, including new path-based trailing-slash cases. |
Summary
issuerinbuild_metadata()before constructingOAuthMetadataresourceand eachauthorization_serversentry increate_protected_resource_routes()url_preserve_empty_pathserialize without a synthetic root slashAnyHttpUrlissuer inputs and root-level protected-resource metadata responsesFixes #1919. Also fixes #1265.
Test plan
uv run pytest tests/server/auth/test_routes.py -quv run pytest tests/server/auth/test_protected_resource.py -quv run pytest tests/server/auth/ -quv run ruff check src/mcp/server/auth/routes.py tests/server/auth/test_routes.py tests/server/auth/test_protected_resource.pyuv run pyright src/mcp/server/auth/routes.py