makiolaj/GearBox
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 10 Wiki Activity

fix: add Protected Resource Metadata endpoint (RFC 9728)
All checks were successful
CI / ci (push) Successful in 29s
Details
CI / e2e (push) Successful in 1m1s
Details

Browse Source 
The MCP auth spec (2025-06-18+) requires /.well-known/oauth-protected-resource
in addition to /.well-known/oauth-authorization-server. Claude fetches
the protected resource metadata first after receiving a 401, then discovers
the authorization server from it. Also fixes WWW-Authenticate header to
use absolute URL pointing to the protected resource endpoint.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Jean-Luc Makiola
2026-04-04 11:17:21 +02:00
parent b71833ef79
commit f7c9f3dc94
3 changed files with 23 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/server/routes/oauth.ts
View File

@@ -84,6 +84,16 @@ function renderLoginForm(params: {
export const wellKnownRoute = new Hono<Env>();
// Protected Resource Metadata (RFC 9728) — Claude fetches this first after 401
wellKnownRoute.get("/oauth-protected-resource", (c) => {
const baseUrl = getBaseUrl(c);
return c.json({
resource: `${baseUrl}/mcp`,
authorization_servers: [baseUrl],
});
});
// OAuth Authorization Server Metadata (RFC 8414) — Claude fetches this second
wellKnownRoute.get("/oauth-authorization-server", (c) => {
const baseUrl = getBaseUrl(c);
return c.json({