Skip to content

[auth] OAuth protected-resource-metadata: fallback on 4xx not just 404#879

Merged
pcarleton merged 3 commits intomainfrom
pcarleton/oauth-prm-fallback-4xx
Aug 19, 2025
Merged

[auth] OAuth protected-resource-metadata: fallback on 4xx not just 404#879
pcarleton merged 3 commits intomainfrom
pcarleton/oauth-prm-fallback-4xx

Conversation

@pcarleton
Copy link
Copy Markdown
Member

@pcarleton pcarleton commented Aug 15, 2025

Motivation and Context

Some places will return a 401 or other 4xx status code when you probe for a metadata endpoint they don't support. Prior to this, we'd only fallback specifically on a 404, but if it's unauthorized, you're not guaranteed to get a 404.

Without this change, clients will fail trying to get the path-aware version and never try the supported root PRM path.

How Has This Been Tested?

Added tests

Breaking Changes

Unbreaks a change from introducing path-aware metadata

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

@pcarleton pcarleton requested review from a team, domdomegg and ochafik August 15, 2025 09:06
domdomegg
domdomegg reviewed Aug 15, 2025
View reviewed changes
src/client/auth.test.ts Outdated

it("falls back to root discovery when path-aware discovery returns 404", async () => {
// First call (path-aware) returns 404
it("falls back to root discovery when path-aware discovery fails", async () => {
Copy link
Copy Markdown
Member

@domdomegg domdomegg Aug 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe we could make this a parameterised test (with it.each) to check across many 4xx statuses?

domdomegg
domdomegg reviewed Aug 15, 2025
View reviewed changes
domdomegg
domdomegg approved these changes Aug 15, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@domdomegg domdomegg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@pcarleton @domdomegg
Update src/client/auth.ts
d4da6c6 
Co-authored-by: adam jones <[email protected]>
ochafik
ochafik approved these changes Aug 19, 2025
View reviewed changes
src/client/auth.test.ts Outdated

it("falls back to root discovery when path-aware discovery returns 404", async () => {
// First call (path-aware) returns 404
it("falls back to root discovery when path-aware discovery fails", async () => {
Copy link
Copy Markdown
Contributor

@ochafik ochafik Aug 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could also be good to add "falls back when path-aware discovery encounters internal server error" (to check the 500s are left out of the logic)

@pcarleton pcarleton merged commit 1f5950b into main Aug 19, 2025
5 checks passed
@pcarleton pcarleton deleted the pcarleton/oauth-prm-fallback-4xx branch August 19, 2025 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ochafik ochafik ochafik approved these changes

@domdomegg domdomegg domdomegg approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pcarleton @ochafik @domdomegg