fix(mcp-oauth): fall back to root well-known URL for non-root resource paths (fixes #2675)#2673
Merged
code-yeongyu merged 2 commits intocode-yeongyu:devfrom Mar 25, 2026
Conversation
When the resource URL has a sub-path (e.g. https://mcp.sentry.dev/mcp), the RFC 8414 path-suffixed well-known URL may not exist. Fall back to the root well-known URL before giving up. This matches OpenCode core's behavior and fixes authentication for servers like Sentry that serve OAuth metadata only at the root path.
sanoyphilippe
changed the title
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
No issues found across 2 files
Confidence score: 5/5
- Automated review surfaced no issues in the provided summaries.
- No files require special attention.
Auto-approved: Fixes a 404 error in OAuth discovery by adding a safe fallback to the root metadata endpoint; implementation is well-tested and only triggers if the primary lookup fails.
sanoyphilippe
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When a skill-embedded MCP server has a resource URL with a sub-path (e.g.
https://mcp.sentry.dev/mcp), OAuth discovery fails because the path-suffixed well-known URL doesn't exist on some servers.Fixes #2675
Discovery flow (before this fix):
/.well-known/oauth-protected-resource→ 404 (not all servers serve PRM)/.well-known/oauth-authorization-server/mcp(RFC 8414 path suffix) → 404"OAuth authorization server metadata not found"❌The root well-known URL (
/.well-known/oauth-authorization-server) returns 200 with valid metadata, but is never tried.Affected servers: Sentry MCP (
https://mcp.sentry.dev/mcp), and potentially any MCP server that:/mcp)Note: OpenCode core handles this case correctly — this only affects oh-my-openagent's skill MCP OAuth flow.
Fix
Add a fallback in
fetchAuthorizationServerMetadata: when the path-suffixed well-known URL returns 404 and the resource has a non-root path, try the root well-known URL before giving up.Discovery flow (after this fix):
/.well-known/oauth-protected-resource→ 404/.well-known/oauth-authorization-server/mcp→ 404/.well-known/oauth-authorization-server→ 200 ✅Also extracts
parseMetadataFieldshelper to avoid duplicating the response parsing logic.Changes
src/features/mcp-oauth/discovery.ts— Add root-path fallback, extractparseMetadataFieldssrc/features/mcp-oauth/discovery.test.ts— Add 2 test cases for sub-path resource URLsChecklist
bun run typecheckpassesbun test src/features/mcp-oauth/discovery.test.tspasses (7/7)package.json