Skip to content

fix(mcp): use correct authorization server URL for OAuth discovery #7234

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rekram1-node merged 1 commit into from
Jan 7, 2026
Merged

fix(mcp): use correct authorization server URL for OAuth discovery #7234

rekram1-node merged 1 commit into from
Jan 7, 2026

Conversation

@rscarvalho
Copy link
Contributor

@rscarvalho rscarvalho commented Jan 7, 2026

Summary

Upgrade @modelcontextprotocol/sdk from 1.15.1 to 1.25.2 to fix OAuth discovery for external authorization servers.

Fixes #7228

Problem

When an MCP server's protected resource metadata returns an external authorization_servers URL (e.g., Auth0), OpenCode incorrectly fetches /.well-known/oauth-authorization-server from the MCP server instead of the authorization server.

Solution

Upgrade the MCP SDK to 1.25.2, which fixes the URL construction in discoverOAuthMetadata().

Related

PR #5940 addresses the same SDK bug but also adds a redirectUri configuration option. This PR is a minimal fix focusing only on the SDK upgrade. The redirectUri feature could be considered separately.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 7, 2026

The following comment was made by an LLM, it may be inaccurate:

Related PR Found

PR #5940: fix(mcp): Upgrade SDK and add redirectUri config for OAuth callback
#5940

Why it's related:

@rscarvalho rscarvalho force-pushed the 7228-mcp-oauth-auth-flow branch from e43c2d1 to 7e3865a Compare January 7, 2026 17:28
@rekram1-node rekram1-node merged commit a160eee into anomalyco:dev Jan 7, 2026
3 checks passed
@rscarvalho rscarvalho deleted the 7228-mcp-oauth-auth-flow branch January 7, 2026 18:47
This was referenced Jan 8, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

MCP OAuth authentication fails to use authorization_servers URL from Protected Resource Metadata

2 participants

@rscarvalho @rekram1-node