fix(mcp): use direct fetch for resource_metadata URL from WWW-Authenticate#1120
Open
xzavrel wants to merge 1 commit into
Open
fix(mcp): use direct fetch for resource_metadata URL from WWW-Authenticate#1120xzavrel wants to merge 1 commit into
xzavrel wants to merge 1 commit into
Conversation
71d6144 to
2f4e837
Compare
Contributor
…icate When the WWW-Authenticate header contains a resource_metadata parameter (RFC 9728 §5.1), the URL is already the complete metadata endpoint. Passing it through fetch_resource_metadata() incorrectly appends another /.well-known/oauth-protected-resource suffix, producing a broken URL. This causes the resource_metadata branch to fail silently, and the fallback path discovers the origin-level resource metadata which returns the wrong resource identifier (origin instead of the MCP server URL). The authorization server then rejects the request with invalid_target. Add fetch_resource_metadata_direct() that fetches from an already-known URL without appending the .well-known suffix. Use it in discover_and_register() for URLs extracted from WWW-Authenticate headers. Fixes moltis-org#1119
2f4e837 to
d49e933
Compare
This was referenced Jun 14, 2026
Collaborator
|
@greptileai review |
This was referenced Jul 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #1119 — MCP OAuth fails with
invalid_targetfor servers that includeresource_metadatain theirWWW-Authenticateheader (Notion, Linear).Problem
discover_and_register()passes theresource_metadataURL fromWWW-Authenticatetofetch_resource_metadata(), which appends/.well-known/oauth-protected-resource— but the URL is already the complete metadata endpoint per RFC 9728 §5.1. This produces a broken double-suffix URL, the fetch fails silently, and the fallback path uses the wrong resource identifier (origin instead of the MCP server URL), causing the authorization server to reject withinvalid_target.Changes
crates/oauth/src/discovery.rsfetch_resource_metadata_direct()— fetches from an already-complete metadata URL without appending.well-knownsuffixcrates/oauth/src/lib.rscrates/mcp/src/auth.rsfetch_resource_metadata_directindiscover_and_register()when URL comes fromWWW-AuthenticateheaderTests added
fetch_resource_metadata_direct_success— Notion-style metadata at custom pathfetch_resource_metadata_direct_not_found— error handlingdiscovery_uses_www_authenticate_resource_metadata_directly— end-to-end discovery withWWW-Authenticateheader returning correct resourceValidation
Completed
resource_metadataURLs inWWW-Authenticateresourcefieldresource_metadata(Attio) are unaffected (fallback path unchanged)Remaining
cargo test -p moltis-oauth -p moltis-mcpcargo fmt --all -- --checkjust lintManual QA
https://mcp.notion.com/mcp, Streamable HTTP)invalid_targeterror)