Fix RFC 8414 metadata URL construction and add asMetadataUrl validation in callback

cursoragent · cursoragent · commit 0ccd44c8f511 · 2026-04-28T20:16:48.000Z
- buildMetadataUrls: insert .well-known/oauth-authorization-server between
  origin and path per RFC 8414 §3, instead of appending to the end. Fixes
  discovery for path-based issuers (e.g. multi-tenant Azure AD, Auth0).
- Callback route: add !cached.asMetadataUrl to the validation guard,
  consistent with tryRefreshAfterInvalidToken in the probe route.
diff --git a/apps/web/app/api/settings/mcp/connect/callback/route.ts b/apps/web/app/api/settings/mcp/connect/callback/route.ts
@@ -244,7 +244,7 @@ export async function GET(request: Request): Promise<Response> {
   }
 
   const cached = getMcpServerSecret(serverKey);
-  if (!cached || !cached.codeVerifier || !cached.redirectUri) {
+  if (!cached || !cached.codeVerifier || !cached.redirectUri || !cached.asMetadataUrl) {
     return renderResultPage(
       {
         kind: "error",
diff --git a/apps/web/lib/mcp-oauth.ts b/apps/web/lib/mcp-oauth.ts
@@ -261,10 +261,15 @@ async function fetchAuthorizationServerMetadata(
 }
 
 function buildMetadataUrls(issuer: string): string[] {
-  const trimmed = issuer.endsWith("/") ? issuer.slice(0, -1) : issuer;
+  // RFC 8414 §3: insert /.well-known/oauth-authorization-server between the
+  // origin and the path, e.g. https://example.com/tenant becomes
+  // https://example.com/.well-known/oauth-authorization-server/tenant
+  const url = new URL(issuer);
+  const path = url.pathname.replace(/\/+$/, "");
   return [
-    `${trimmed}/.well-known/oauth-authorization-server`,
-    `${trimmed}/.well-known/openid-configuration`,
+    `${url.origin}/.well-known/oauth-authorization-server${path}`,
+    // OIDC Discovery appends to the issuer per OpenID Connect Discovery §4.
+    `${url.origin}${path}/.well-known/openid-configuration`,
   ];
 }
 

Original file line number	Diff line number	Diff line change
`@@ -244,7 +244,7 @@ export async function GET(request: Request): Promise<Response> {`
`244`	`244`	`}`
`245`	`245`
`246`	`246`	`const cached = getMcpServerSecret(serverKey);`
`247`		`- if (!cached \|\| !cached.codeVerifier \|\| !cached.redirectUri) {`
	`247`	`+ if (!cached \|\| !cached.codeVerifier \|\| !cached.redirectUri \|\| !cached.asMetadataUrl) {`
`248`	`248`	`return renderResultPage(`
`249`	`249`	`{`
`250`	`250`	`kind: "error",`