Merge pull request #395 from koic/rfc8414_well_known_suffix

koic · web-flow · commit 8e41474f711d · 2026-06-13T20:23:10.000+09:00
Pin RFC 8414 Default Well-Known Suffix per SEP-2351
diff --git a/lib/mcp/client/oauth/discovery.rb b/lib/mcp/client/oauth/discovery.rb
@@ -90,7 +90,17 @@ def protected_resource_metadata_urls(server_url:, resource_metadata_url: nil)
           end
 
           # Returns the candidate Authorization Server metadata URLs to probe, in priority order.
-          # https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#authorization-server-metadata-discovery
+          #
+          # Per SEP-2351, MCP uses the default `oauth-authorization-server` well-known URI suffix
+          # registered by RFC 8414 Section 7.3 and defines no application-specific suffix of its own.
+          # The OAuth candidates below therefore use only that default suffix
+          # (plus the `openid-configuration` suffix from OpenID Connect Discovery),
+          # both in the RFC 8414 Section 3.1 path-inserted form for issuers with a path component
+          # and in the root form for issuers without one.
+          #
+          # - https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#authorization-server-metadata-discovery
+          # - https://github.com/modelcontextprotocol/modelcontextprotocol/pull/2351
+          # - https://www.rfc-editor.org/rfc/rfc8414#section-3.1
           def authorization_server_metadata_urls(issuer_url)
             uri = URI.parse(issuer_url)
             path = uri.path == "/" ? "" : uri.path.to_s
diff --git a/test/mcp/client/oauth/discovery_test.rb b/test/mcp/client/oauth/discovery_test.rb
@@ -121,6 +121,43 @@ def test_authorization_server_metadata_urls_for_path_issuer
           assert_includes(urls, "https://auth.example.com/tenant1/.well-known/openid-configuration")
         end
 
+        # Per SEP-2351, MCP explicitly uses the RFC 8414 default `oauth-authorization-server` well-known URI suffix
+        # and defines no application-specific suffix. The first probed candidate for a root issuer must be exactly
+        # that default suffix.
+        def test_authorization_server_metadata_urls_probe_rfc8414_default_suffix_first
+          urls = Discovery.authorization_server_metadata_urls("https://auth.example.com")
+
+          assert_equal("https://auth.example.com/.well-known/oauth-authorization-server", urls.first)
+        end
+
+        def test_authorization_server_metadata_urls_use_only_registered_well_known_suffixes
+          root_urls = Discovery.authorization_server_metadata_urls("https://auth.example.com")
+          path_urls = Discovery.authorization_server_metadata_urls("https://auth.example.com/tenant1")
+
+          (root_urls + path_urls).each do |url|
+            suffix = url[%r{/\.well-known/([^/]+)}, 1]
+
+            assert_includes(
+              ["oauth-authorization-server", "openid-configuration"], suffix, "unexpected well-known suffix in #{url}"
+            )
+          end
+        end
+
+        def test_authorization_server_metadata_urls_put_path_inserted_oauth_candidate_first_for_path_issuer
+          urls = Discovery.authorization_server_metadata_urls("https://auth.example.com/tenant1")
+
+          assert_equal("https://auth.example.com/.well-known/oauth-authorization-server/tenant1", urls.first)
+        end
+
+        def test_authorization_server_metadata_urls_treat_trailing_slash_issuer_as_root
+          urls = Discovery.authorization_server_metadata_urls("https://auth.example.com/")
+
+          assert_equal(
+            ["https://auth.example.com/.well-known/oauth-authorization-server", "https://auth.example.com/.well-known/openid-configuration"],
+            urls,
+          )
+        end
+
         def test_canonicalize_url_normalizes_scheme_host_port_and_path
           assert_equal(
             "https://srv.example.com/mcp",
