context_server: Handle bad WWW-Authenticate resource_metadata URLs#53502
Merged
Conversation
7f124ff to
ef5503b
Compare
ef5503b to
ad6d321
Compare
ad6d321 to
8c1d074
Compare
…a URLs When the resource_metadata URL from the WWW-Authenticate header is same-origin but points to a broken endpoint (for example Pydantic Logfire doubles the path component, producing /mcp/mcp), fall back to the RFC 9728 well-known URIs instead of failing outright. The header URL is still tried first per the MCP spec requirement.
8c1d074 to
9c5d615
Compare
bennetbo
approved these changes
May 18, 2026
TomPlanche
pushed a commit
to TomPlanche/zed
that referenced
this pull request
May 20, 2026
…ed-industries#53502) In MCP OAuth, when the resource_metadata URL from the WWW-Authenticate header from the MCP server is on the same origin, but points to a broken endpoint (for example Pydantic Logfire doubles the path component, producing /mcp/mcp), fall back to the RFC 9728 well-known URIs instead of failing outright. The header URL is still tried first, as per the MCP spec. Release Notes: - MCP OAuth: Handle bad URLs in WWW-Authenticate by falling back to the well known authorization server metadata URLs.
This was referenced May 27, 2026
TomPlanche
pushed a commit
to TomPlanche/zed
that referenced
this pull request
Jun 2, 2026
…ed-industries#53502) In MCP OAuth, when the resource_metadata URL from the WWW-Authenticate header from the MCP server is on the same origin, but points to a broken endpoint (for example Pydantic Logfire doubles the path component, producing /mcp/mcp), fall back to the RFC 9728 well-known URIs instead of failing outright. The header URL is still tried first, as per the MCP spec. Release Notes: - MCP OAuth: Handle bad URLs in WWW-Authenticate by falling back to the well known authorization server metadata URLs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In MCP OAuth, when the resource_metadata URL from the WWW-Authenticate header from the MCP server is on the same origin, but points to a broken endpoint (for example Pydantic Logfire doubles the path component, producing /mcp/mcp), fall back to the RFC 9728 well-known URIs instead of failing outright. The header URL is still tried first, as per the MCP spec.
Release Notes: