Skip to content

fix: do not manually construct fallback authorization metadata #507

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 3, 2025
Merged

fix: do not manually construct fallback authorization metadata #507

merged 1 commit into from
Nov 3, 2025

Conversation

@alexhancock
Copy link
Contributor

@alexhancock alexhancock commented Oct 30, 2025

We should not manually guess and construct an authorization endpoint if we cannot discover metadata

Right now base_url is the MCP server's base url, not the authorization server

Surfaced to me through block/goose#5294
@github-actions github-actions bot added T-core Core library changes T-transport Transport layer changes labels Oct 30, 2025
@alexhancock alexhancock mentioned this pull request Oct 30, 2025
Open
@4t145 4t145 requested a review from Copilot November 2, 2025 18:40
Copilot AI reviewed Nov 2, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR improves OAuth security by removing the fallback mechanism that constructed default authorization endpoints when discovery fails. Instead of guessing endpoint URLs, the code now correctly returns a NoAuthorizationSupport error when OAuth metadata cannot be discovered from the server.

Key changes:

  • Removed the fallback logic that constructed default OAuth endpoints (/authorize and /token) when metadata discovery failed
  • Changed the behavior to return AuthError::NoAuthorizationSupport instead of constructing guessed endpoints
  • Added clear comments explaining why OAuth endpoints must be discovered rather than constructed

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jamadeo
jamadeo approved these changes Nov 3, 2025
View reviewed changes
Copy link
Collaborator

@jamadeo jamadeo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this PR is correct in that we should not construct this metadata ourselves ever. It looks to me like #489 should fix the problem reported in the goose repo, as it adds support for discovery using resource metadata
@alexhancock alexhancock merged commit d3ddc09 into main Nov 3, 2025
17 checks passed
@github-actions github-actions bot mentioned this pull request Nov 3, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

T-core Core library changes T-transport Transport layer changes

3 participants

@alexhancock @jamadeo