Jean-Luc Makiola f7c9f3dc94 fix: add Protected Resource Metadata endpoint (RFC 9728) ...

The MCP auth spec (2025-06-18+) requires /.well-known/oauth-protected-resource
in addition to /.well-known/oauth-authorization-server. Claude fetches
the protected resource metadata first after receiving a 401, then discovers
the authorization server from it. Also fixes WWW-Authenticate header to
use absolute URL pointing to the protected resource endpoint.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-04 11:17:21 +02:00

535 B

Executable File

Raw Blame History

View Raw