MCP OAuth authentication fails to use authorization_servers URL from Protected Resource Metadata #7228
Description
Description
When connecting to a remote MCP server that uses an external authorization server (like Auth0), OpenCode fails with:
HTTP 401 trying to load well-known OAuth metadata
The issue is that OpenCode tries to fetch OAuth metadata directly from the MCP server instead of using the authorization_servers URL from the protected resource metadata response.
This same setup works fine with Claude Code, which correctly follows the two-step discovery flow.
Related issues:
- Oath MCP always using root level even though my rul is .../xmcp/mcp #7135 has a similar issue (wrong path, same host). This one is different because the authorization server is on a completely different host.
Plugins
None
OpenCode version
1.0.220
Steps to reproduce
- Configure an MCP server with:
{
"mcp": {
"example-server": {
"type": "remote",
"url": "https://mcp-gateway.example.com/example-server"
}
}
}- Verify the protected resource metadata works:
$ curl https://mcp-gateway.example.com/.well-known/oauth-protected-resource/example-server
{
"authorization_servers": ["https://example.auth0.com/"],
"resource": "https://mcp-gateway.example.com/example-server",
...
}- Verify the authorization server metadata is accessible:
$ curl https://example.auth0.com/.well-known/oauth-authorization-server
{
"issuer": "https://example.auth0.com/",
"authorization_endpoint": "https://example.auth0.com/authorize",
"token_endpoint": "https://example.auth0.com/oauth/token",
...
}- Run
opencode mcp auth example-serverand observe it fails because it tries:
GET https://mcp-gateway.example.com/example-server/.well-known/oauth-authorization-server
instead of:
GET https://example.auth0.com/.well-known/oauth-authorization-server
Screenshot and/or share link
No response
Operating System
macOS 26.2
Terminal
Ghostty