Path‑aware OAuth discovery builds an invalid URL

[MichalWeczorek]

1 mcp‑remote fetches ( I use Keycloack as my auth server )
GET http://localhost:54001/.well-known/oauth-protected-resource
and receives:
{ "authorization_servers": [ "https://xxx:40020/auth/realms/myRealm" ], … }
2 It then tries to load OAuth metadata for that issuer, but the URL it constructs is invalid:

https://xxx:40020/.well-known/oauth-authorization-server/auth/realms/myRealm
3 Discovery fails, CLI falls back to root discovery, Keycloak still rejects the subsequent token request with
nvalid OAuth error response: SyntaxError: Unexpected token '<', "<bod"...

Expected behaviour
mcp‑remote should request the RFC 8414 path‑aware discovery document at

https://xxx:40020/auth/realms/myRealm/.well-known/oauth-authorization-server
and proceed with the OAuth flow.

Root cause (code)

function buildWellKnownPath(pathname) 
{
    if(pathname.endsWith('/')) {
        pathname = pathname.slice(0, -1);
    }
    let wellKnownPath = `${pathname}/.well-known/oauth-authorization-server`;
    return wellKnownPath;
}

[asparsh29kumar]

IIUC mcp-remote relies on the official typescript-sdk for the oauth flow.
This change https://github.com/modelcontextprotocol/typescript-sdk/pull/652/files#diff-ac04c4c9810612210b0ac8fbf59911c8a9b826954a38eb7a0aeb26bbf73a5325R718 which preserves path name was recently merged. So, as soon as @geelen creates a new version of mcp-remote with the latest version of the sdk, we should be able to make use of it.

As a workaround, I updated https://github.com/geelen/mcp-remote/blob/main/package.json#L39 to "@modelcontextprotocol/sdk": "^1.17.1", and that seemed to have done the trick for me locally. You can try it to see if it works for you.

[nweinshenker]

Has this issue already been resolved by pull request? It looks like this was successfully built and released in mcp-remote@0.1.19 release that adjusts the /.well-known/oauth-authorization-server changes in the typescript-sdk to prepend the correct path for OAuth discovery.

[halllo]

Yes, its better now. But there still is an issue with the resource metadata, which is due to the use of multiple transport objects and recursive invocation.
I tried to fix it in #167 to get it working at all, but it would be better to not need multiple transports.