Skip to content

Trailing slash in .well-known/oauth-protected-resource response may violate “Canonical Server URI” requirement #1265

Open
#1938
Open
Trailing slash in .well-known/oauth-protected-resource response may violate “Canonical Server URI” requirement#1265
#1938
Labels
P1Significant bug affecting many users, highly requested featureauthIssues and PRs related to Authentication / OAuthbugSomething isn't workingready for workEnough information for someone to start working on
@FakeDocument

Description

@FakeDocument
FakeDocument
opened on Aug 12, 2025

Question

As I understand it, https://your-mcp.com/.well-known/oauth-protected-resource should return:

{
    "resource": "https://your-mcp.com",
    "authorization_servers": [
        "https://your-auth.com"
    ],
    "scopes_supported": [],
    "bearer_methods_supported": [
        "header"
    ]
}

However, it actually returns:

{
    "resource": "https://your-mcp.com/",
    "authorization_servers": [
        "https://your-auth.com/"
    ],
    "scopes_supported": [],
    "bearer_methods_supported": [
        "header"
    ]
}

Note the trailing / in both the resource and authorization_servers values.

According to the MCP spec’s “resource-parameter-implementation” section, I believe this violates the requirement for canonicalization:
https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization#resource-parameter-implementation

Is this a bug, or am I misunderstanding the requirement?

Metadata

Metadata

Assignees

No one assigned

    Labels

    P1Significant bug affecting many users, highly requested featureauthIssues and PRs related to Authentication / OAuthbugSomething isn't workingready for workEnough information for someone to start working on

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions