fix: add Protected Resource Metadata endpoint (RFC 9728)
All checks were successful
CI / ci (push) Successful in 29s
CI / e2e (push) Successful in 1m1s

The MCP auth spec (2025-06-18+) requires /.well-known/oauth-protected-resource
in addition to /.well-known/oauth-authorization-server. Claude fetches
the protected resource metadata first after receiving a 401, then discovers
the authorization server from it. Also fixes WWW-Authenticate header to
use absolute URL pointing to the protected resource endpoint.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-04 11:17:21 +02:00
parent b71833ef79
commit f7c9f3dc94
3 changed files with 23 additions and 3 deletions

8
check-oauth.sh Executable file
View File

@@ -0,0 +1,8 @@
#!/bin/bash
docker exec gearbox bun -e "
const{Database}=require('bun:sqlite');
const db=new Database('./data/gearbox.db');
console.log('CLIENTS:', JSON.stringify(db.query('SELECT * FROM oauth_clients ORDER BY id DESC LIMIT 5').all(), null, 2));
console.log('CODES:', JSON.stringify(db.query('SELECT id,client_id,used,expires_at FROM oauth_codes ORDER BY id DESC LIMIT 5').all(), null, 2));
console.log('TOKENS:', JSON.stringify(db.query('SELECT id,client_id,expires_at FROM oauth_tokens ORDER BY id DESC LIMIT 5').all(), null, 2));
"