fix: preserve auth server path in OAuth metadata URL construction

dankelleher · dankelleher · commit 846f67db7c55 · 2025-06-17T16:32:00.000+02:00
Previously, the path was stripped when constructing the well-known OAuth
metadata URL. Per RFC 8414 §3.1, the path must be preserved after the
.well-known segment to support multitenant auth servers that encode
tenant IDs in the path.

- Fix oauthAuthServerMetadataUrl to preserve path segments
- Add comprehensive test coverage for the function
diff --git a/client/src/components/OAuthFlowProgress.tsx b/client/src/components/OAuthFlowProgress.tsx
@@ -4,6 +4,7 @@ import { Button } from "./ui/button";
 import { DebugInspectorOAuthClientProvider } from "@/lib/auth";
 import { useEffect, useMemo, useState } from "react";
 import { OAuthClientInformation } from "@modelcontextprotocol/sdk/shared/auth.js";
+import { oauthAuthServerMetadataUrl } from "@/utils/oauthUtils.ts";
 
 interface OAuthStepProps {
   label: string;
@@ -196,10 +197,7 @@ export const OAuthFlowProgress = ({
                     <p className="text-xs text-muted-foreground">
                       From{" "}
                       {
-                        new URL(
-                          "/.well-known/oauth-authorization-server",
-                          authState.authServerUrl,
-                        ).href
+                        oauthAuthServerMetadataUrl(authState.authServerUrl).href
                       }
                     </p>
                   )}
diff --git a/client/src/utils/__tests__/oauthUtils.ts b/client/src/utils/__tests__/oauthUtils.ts
@@ -1,6 +1,7 @@
 import {
   generateOAuthErrorDescription,
   parseOAuthCallbackParams,
+  oauthAuthServerMetadataUrl,
 } from "@/utils/oauthUtils.ts";
 
 describe("parseOAuthCallbackParams", () => {
@@ -76,3 +77,37 @@ describe("generateOAuthErrorDescription", () => {
     );
   });
 });
+
+describe("oauthAuthServerMetadataUrl", () => {
+  it("Returns metadata URL for simple auth server URL", () => {
+    const input = new URL("https://auth.example.com");
+    const result = oauthAuthServerMetadataUrl(input);
+    expect(result.href).toBe(
+      "https://auth.example.com/.well-known/oauth-authorization-server",
+    );
+  });
+
+  it("Returns metadata URL for auth server with path", () => {
+    const input = new URL("https://auth.example.com/oauth/tenant/xyz");
+    const result = oauthAuthServerMetadataUrl(input);
+    expect(result.href).toBe(
+      "https://auth.example.com/.well-known/oauth-authorization-server/oauth/tenant/xyz",
+    );
+  });
+
+  it("Strips trailing slash from path as per spec", () => {
+    const input = new URL("https://auth.example.com/oauth/");
+    const result = oauthAuthServerMetadataUrl(input);
+    expect(result.href).toBe(
+      "https://auth.example.com/.well-known/oauth-authorization-server/oauth",
+    );
+  });
+
+  it("Handles auth server URL with port", () => {
+    const input = new URL("https://auth.example.com:8080");
+    const result = oauthAuthServerMetadataUrl(input);
+    expect(result.href).toBe(
+      "https://auth.example.com:8080/.well-known/oauth-authorization-server",
+    );
+  });
+});
diff --git a/client/src/utils/oauthUtils.ts b/client/src/utils/oauthUtils.ts
@@ -63,3 +63,19 @@ export const generateOAuthErrorDescription = (
     .filter(Boolean)
     .join("\n");
 };
+
+/**
+ * Build the well-known OAuth 2.0 metadata URL from an authServerUrl.
+ * Handles auth server paths per RFC 8414 §3.1.
+ *
+ * @param {URL} authServerUrl e.g. new URL("https://my.auth-server.com/oauth/tenant/xyz")
+ * @returns {URL}         e.g. new URL("https://my.auth-server.com/.well-known/oauth-authorization-server/oauth/tenant/xyz")
+ */
+export const oauthAuthServerMetadataUrl = (authServerUrl: URL): URL => {
+  // Strip a trailing slash from the path (required by the spec)
+  const path = authServerUrl.pathname.replace(/\/$/, "");
+
+  return new URL(
+    `${authServerUrl.origin}/.well-known/oauth-authorization-server${path}`,
+  );
+};
