fix: add Protected Resource Metadata endpoint (RFC 9728)
The MCP auth spec (2025-06-18+) requires /.well-known/oauth-protected-resource in addition to /.well-known/oauth-authorization-server. Claude fetches the protected resource metadata first after receiving a 401, then discovers the authorization server from it. Also fixes WWW-Authenticate header to use absolute URL pointing to the protected resource endpoint. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -115,10 +115,12 @@ mcpRoutes.use("/*", async (c, next) => {
|
||||
return c.json({ error: "Invalid API key" }, 401);
|
||||
}
|
||||
|
||||
// No auth provided — return 401 with WWW-Authenticate to trigger OAuth flow
|
||||
// No auth provided — return 401 with WWW-Authenticate to trigger OAuth flow (RFC 9728)
|
||||
const baseUrl = (
|
||||
process.env.GEARBOX_URL || new URL(c.req.url).origin
|
||||
).replace(/\/$/, "");
|
||||
return c.text("Unauthorized", 401, {
|
||||
"WWW-Authenticate":
|
||||
'Bearer resource_metadata="/.well-known/oauth-authorization-server"',
|
||||
"WWW-Authenticate": `Bearer resource_metadata="${baseUrl}/.well-known/oauth-protected-resource"`,
|
||||
});
|
||||
});
|
||||
|
||||
|
||||
Reference in New Issue
Block a user