fix: Use authorization server URL to get OAuth token, not MCP server URL

clareliguori · clareliguori · commit 11ab57cd5149 · 2025-07-04T16:55:01.000-07:00
diff --git a/e2e_tests/typescript/src/server_clients/automated_oauth.ts b/e2e_tests/typescript/src/server_clients/automated_oauth.ts
@@ -367,6 +367,18 @@ export class AutomatedOAuthClient extends Server {
       { resourceMetadataUrl }
     );
 
+    if (
+      resourceMetadata.authorization_servers &&
+      resourceMetadata.authorization_servers.length > 0
+    ) {
+      this.config.authorizationServerUrl =
+        resourceMetadata.authorization_servers[0];
+    } else {
+      throw new Error(
+        "No authorization server found in OAuth protected resource metadata"
+      );
+    }
+
     if (
       !resourceMetadata.scopes_supported ||
       resourceMetadata.scopes_supported.length === 0
@@ -419,7 +431,9 @@ export class AutomatedOAuthClient extends Server {
       logger.debug("Performing client credentials flow...");
 
       // Discover OAuth metadata
-      const metadata = await discoverOAuthMetadata(this.config.serverUrl);
+      const metadata = await discoverOAuthMetadata(
+        this.config.authorizationServerUrl
+      );
 
       if (!metadata?.token_endpoint) {
         throw new Error("No token endpoint found in OAuth metadata");
diff --git a/examples/servers/cat-facts/lib/cat-facts-mcp-server.function.ts b/examples/servers/cat-facts/lib/cat-facts-mcp-server.function.ts
@@ -28,7 +28,7 @@ export const handler: Handler = async (
   event: APIGatewayProxyEventV2WithIAMAuthorizer,
   context: Context
 ): Promise<APIGatewayProxyResultV2> => {
-  // To customize the handler based on the caller's identity, you can use:
+  // To customize the handler based on the caller's identity, you can use properties in:
   // event.requestContext.authorizer.iam
 
   return requestHandler.handle(event, context);
diff --git a/examples/servers/dog-facts/lib/dog-facts-mcp-server.function.ts b/examples/servers/dog-facts/lib/dog-facts-mcp-server.function.ts
@@ -1,7 +1,7 @@
 import {
   Handler,
   Context,
-  APIGatewayProxyEvent,
+  APIGatewayProxyWithCognitoAuthorizerEvent,
   APIGatewayProxyResult,
 } from "aws-lambda";
 import {
@@ -25,11 +25,11 @@ const requestHandler = new APIGatewayProxyEventHandler(
 );
 
 export const handler: Handler = async (
-  event: APIGatewayProxyEvent,
+  event: APIGatewayProxyWithCognitoAuthorizerEvent,
   context: Context
 ): Promise<APIGatewayProxyResult> => {
-  // To customize the handler based on the caller's identity, you can use:
-  // event.requestContext.authorizer.iam
+  // To customize the handler based on the caller's identity, you can use properties like:
+  // event.requestContext.authorizer.claims["cognito:username"]
 
   return requestHandler.handle(event, context);
 };
