Skip to content

fix: throw error on auth fallback for non-root AS paths #1724

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
guoyangzhen wants to merge 2 commits into
base: main
Choose a base branch
from
+26 −1
Open

fix: throw error on auth fallback for non-root AS paths #1724

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c748ffa
fix: throw error on auth fallback for non-root AS paths
guoyangzhen Mar 20, 2026
ea8ea36
add changeset
guoyangzhen Mar 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .changeset/fix-auth-fallback-non-root-path.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
'@modelcontextprotocol/client': patch
---

Throw error on auth fallback for non-root AS paths instead of silently using incorrect absolute paths. Fixes URL path prefix loss when authorization server metadata discovery fails.

Fixes modelcontextprotocol/typescript-sdk#1716
20 changes: 19 additions & 1 deletion packages/client/src/client/auth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1200,6 +1200,11 @@ export async function startAuthorization(
) {
throw new Error(`Incompatible auth server: does not support code challenge method ${AUTHORIZATION_CODE_CHALLENGE_METHOD}`);
}
} else if (authorizationServerUrl.pathname !== '/') {
throw new Error(
`Authorization server metadata discovery failed and the server URL (${authorizationServerUrl}) has a non-root path. ` +
`Cannot determine the authorization endpoint. Please ensure the authorization server is reachable and supports metadata discovery.`
);
} else {
authorizationUrl = new URL('/authorize', authorizationServerUrl);
}
Expand Down Expand Up @@ -1283,7 +1288,14 @@ async function executeTokenRequest(
fetchFn?: FetchLike;
}
): Promise<OAuthTokens> {
const tokenUrl = metadata?.token_endpoint ? new URL(metadata.token_endpoint) : new URL('/token', authorizationServerUrl);
const tokenUrl = metadata?.token_endpoint
? new URL(metadata.token_endpoint)
: authorizationServerUrl.pathname !== '/'
? (() => { throw new Error(
`Authorization server metadata discovery failed and the server URL (${authorizationServerUrl}) has a non-root path. ` +
`Cannot determine the token endpoint.`
); })()
: new URL('/token', authorizationServerUrl);

const headers = new Headers({
'Content-Type': 'application/x-www-form-urlencoded',
Expand Down Expand Up @@ -1530,6 +1542,12 @@ export async function registerClient(

registrationUrl = new URL(metadata.registration_endpoint);
} else {
if (authorizationServerUrl.pathname !== '/') {
throw new Error(
`Authorization server metadata discovery failed and the server URL (${authorizationServerUrl}) has a non-root path. ` +
`Cannot determine the registration endpoint.`
);
}
registrationUrl = new URL('/register', authorizationServerUrl);
}

Expand Down
Loading