Skip to content

Commit bb1446f

Browse files
jspahrsummersjspahrsummers
authored
Merge pull request modelcontextprotocol#165 from allenzhou101/feature/authorization-base-url
Explicitly define the Authorization Base URL
2 parents 63e1dbb + ff27987 commit bb1446f

File tree

1 file changed

+27
-2
lines changed

1 file changed

+27
-2
lines changed

docs/specification/draft/basic/authorization.md

Lines changed: 27 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -118,17 +118,42 @@ version.
118118

119119
For example: `MCP-Protocol-Version: 2024-11-05`
120120

121-
#### 2.3.1 Fallbacks for Servers without Metadata Discovery
121+
#### 2.3.2 Authorization Base URL
122+
123+
The authorization base URL **MUST** be determined from the [SSE
124+
endpoint]({{< ref "specification/draft/basic/transports#http-with-sse" >}}) URL by
125+
discarding any existing `path` component. For example:
126+
127+
If the SSE endpoint is `https://api.example.com/v1/sse`, then:
128+
129+
- The authorization base URL is `https://api.example.com`
130+
- The metadata endpoint **MUST** be at
131+
`https://api.example.com/.well-known/oauth-authorization-server`
132+
133+
This ensures authorization endpoints are consistently located at the root level of the
134+
domain serving the SSE endpoint, regardless of any path components in the SSE endpoint
135+
URL.
136+
137+
#### 2.3.3 Fallbacks for Servers without Metadata Discovery
122138

123139
For servers that do not implement OAuth 2.0 Authorization Server Metadata, clients
124-
**MUST** use the following default endpoint paths relative to the server's base URL:
140+
**MUST** use the following default endpoint paths relative to the authorization base URL
141+
(as defined in [Section
142+
2.3.2]({{< ref "specification/draft/basic/authorization#232-authorization-base-url" >}})):
125143

126144
| Endpoint | Default Path | Description |
127145
| ---------------------- | ------------ | ------------------------------------ |
128146
| Authorization Endpoint | /authorize | Used for authorization requests |
129147
| Token Endpoint | /token | Used for token exchange & refresh |
130148
| Registration Endpoint | /register | Used for dynamic client registration |
131149

150+
For example, with an SSE endpoint of `https://api.example.com/v1/sse`, the default
151+
endpoints would be:
152+
153+
- `https://api.example.com/authorize`
154+
- `https://api.example.com/token`
155+
- `https://api.example.com/register`
156+
132157
Clients **MUST** first attempt to discover endpoints via the metadata document before
133158
falling back to default paths. When using default paths, all other protocol requirements
134159
remain unchanged.

0 commit comments

Comments
 (0)