adjust to provided resource

Author: pcarleton

src/client/auth.test.ts

@@ -1045,5 +1045,66 @@ describe("OAuth Authorization", () => {
  "https://different-resource.example.com/mcp-server"
  );
  });
+
+ it("uses prefix of server URL from PRM resource as resource parameter", async () => {
+ // Mock successful metadata discovery with resource URL that is a prefix of requested URL
+ mockFetch.mockImplementation((url) => {
+ const urlString = url.toString();
+
+ if (urlString.includes("/.well-known/oauth-protected-resource")) {
+ return Promise.resolve({
+ ok: true,
+ status: 200,
+ json: async () => ({
+ // Resource is a prefix of the requested server URL
+ resource: "https://api.example.com/",
+ authorization_servers: ["https://auth.example.com"],
+ }),
+ });
+ } else if (urlString.includes("/.well-known/oauth-authorization-server")) {
+ return Promise.resolve({
+ ok: true,
+ status: 200,
+ json: async () => ({
+ issuer: "https://auth.example.com",
+ authorization_endpoint: "https://auth.example.com/authorize",
+ token_endpoint: "https://auth.example.com/token",
+ response_types_supported: ["code"],
+ code_challenge_methods_supported: ["S256"],
+ }),
+ });
+ }
+
+ return Promise.resolve({ ok: false, status: 404 });
+ });
+
+ // Mock provider methods
+ (mockProvider.clientInformation as jest.Mock).mockResolvedValue({
+ client_id: "test-client",
+ client_secret: "test-secret",
+ });
+ (mockProvider.tokens as jest.Mock).mockResolvedValue(undefined);
+ (mockProvider.saveCodeVerifier as jest.Mock).mockResolvedValue(undefined);
+ (mockProvider.redirectToAuthorization as jest.Mock).mockResolvedValue(undefined);
+
+ // Call auth with a URL that has the resource as prefix
+ const result = await auth(mockProvider, {
+ serverUrl: "https://api.example.com/mcp-server/endpoint",
+ });
+
+ expect(result).toBe("REDIRECT");
+
+ // Verify the authorization URL includes the resource parameter from PRM
+ expect(mockProvider.redirectToAuthorization).toHaveBeenCalledWith(
+ expect.objectContaining({
+ searchParams: expect.any(URLSearchParams),
+ })
+ );
+
+ const redirectCall = (mockProvider.redirectToAuthorization as jest.Mock).mock.calls[0];
+ const authUrl: URL = redirectCall[0];
+ // Should use the PRM's resource value, not the full requested URL
+ expect(authUrl.searchParams.get("resource")).toBe("https://api.example.com/");
+ });
  });
 });

src/client/auth.ts

@@ -197,12 +197,15 @@ export async function auth(
  return "REDIRECT";
 }
 
-async function selectResourceURL(serverUrl: string| URL, provider: OAuthClientProvider, resourceMetadata?: OAuthProtectedResourceMetadata): Promise<URL | undefined> {
- const resource = resourceUrlFromServerUrl(serverUrl);
+export async function selectResourceURL(serverUrl: string| URL, provider: OAuthClientProvider, resourceMetadata?: OAuthProtectedResourceMetadata): Promise<URL | undefined> {
+ let resource = resourceUrlFromServerUrl(serverUrl);
  if (provider.validateResourceURL) {
  return await provider.validateResourceURL(resource, resourceMetadata?.resource);
  } else if (resourceMetadata) {
- if (!checkResourceAllowed({ requestedResource: resource, configuredResource: resourceMetadata.resource })) {
+ if (checkResourceAllowed({ requestedResource: resource, configuredResource: resourceMetadata.resource })) {
+ // If the resource mentioned in metadata is valid, prefer it since it is what the server is telling us to request.
+ resource = new URL(resourceMetadata.resource);
+ } else {
  throw new Error(`Protected resource ${resourceMetadata.resource} does not match expected ${resource} (or origin)`);
  }
  }