fix: allow multi-segment issuer paths (#105)

Author: isaac-bowen

src/Server/Registrar.php

@@ -89,7 +89,7 @@ public function oauthRoutes(string $oauthPrefix = 'oauth'): void
             'resource' => url('/'.$path),
             'authorization_servers' => [url('/'.$path)],
             'scopes_supported' => ['mcp:use'],
-        ]))->name('mcp.oauth.protected-resource');
+        ]))->where('path', '.*')->name('mcp.oauth.protected-resource');
 
         Router::get('/.well-known/oauth-authorization-server/{path?}', fn (?string $path = '') => response()->json([
             'issuer' => url('/'.$path),
@@ -100,7 +100,7 @@ public function oauthRoutes(string $oauthPrefix = 'oauth'): void
             'code_challenge_methods_supported' => ['S256'],
             'scopes_supported' => ['mcp:use'],
             'grant_types_supported' => ['authorization_code', 'refresh_token'],
-        ]))->name('mcp.oauth.authorization-server');
+        ]))->where('path', '.*')->name('mcp.oauth.authorization-server');
 
         Router::post($oauthPrefix.'/register', OAuthRegisterController::class);
     }

tests/Unit/Server/RegistrarTest.php

@@ -269,3 +269,96 @@ public function createAuthorizationCodeGrantClient(string $name, array $redirect
 
     $response->assertStatus(422);
 });
+
+it('handles oauth discovery with multi-segment paths', function (): void {
+    // Fake Passport's routes so the oauthRoutes() helper can resolve them.
+    Route::get('/oauth/authorize')->name('passport.authorizations.authorize');
+    Route::post('/oauth/token')->name('passport.token');
+
+    $registrar = new Registrar;
+    $registrar->oauthRoutes();
+
+    // Test protected resource endpoint with multi-segment path
+    $response = $this->getJson('/.well-known/oauth-protected-resource/mcp/weather');
+
+    $response->assertStatus(200);
+    $response->assertJson([
+        'resource' => url('/mcp/weather'),
+        'authorization_servers' => [url('/mcp/weather')],
+        'scopes_supported' => ['mcp:use'],
+    ]);
+
+    // Test authorization server endpoint with multi-segment path
+    $response = $this->getJson('/.well-known/oauth-authorization-server/mcp/weather');
+
+    $response->assertStatus(200);
+    $response->assertJsonStructure([
+        'issuer',
+        'authorization_endpoint',
+        'token_endpoint',
+        'registration_endpoint',
+        'response_types_supported',
+        'code_challenge_methods_supported',
+        'scopes_supported',
+        'grant_types_supported',
+    ]);
+    $response->assertJson([
+        'issuer' => url('/mcp/weather'),
+        'scopes_supported' => ['mcp:use'],
+        'response_types_supported' => ['code'],
+        'code_challenge_methods_supported' => ['S256'],
+        'grant_types_supported' => ['authorization_code', 'refresh_token'],
+    ]);
+});
+
+it('handles oauth discovery with single segment paths', function (): void {
+    // Fake Passport's routes so the oauthRoutes() helper can resolve them.
+    Route::get('/oauth/authorize')->name('passport.authorizations.authorize');
+    Route::post('/oauth/token')->name('passport.token');
+
+    $registrar = new Registrar;
+    $registrar->oauthRoutes();
+
+    // Test backward compatibility with single-segment paths
+    $response = $this->getJson('/.well-known/oauth-protected-resource/mcp');
+
+    $response->assertStatus(200);
+    $response->assertJson([
+        'resource' => url('/mcp'),
+        'authorization_servers' => [url('/mcp')],
+        'scopes_supported' => ['mcp:use'],
+    ]);
+
+    $response = $this->getJson('/.well-known/oauth-authorization-server/mcp');
+
+    $response->assertStatus(200);
+    $response->assertJson([
+        'issuer' => url('/mcp'),
+    ]);
+});
+
+it('handles oauth discovery with no path', function (): void {
+    // Fake Passport's routes so the oauthRoutes() helper can resolve them.
+    Route::get('/oauth/authorize')->name('passport.authorizations.authorize');
+    Route::post('/oauth/token')->name('passport.token');
+
+    $registrar = new Registrar;
+    $registrar->oauthRoutes();
+
+    // Test with no path (root)
+    $response = $this->getJson('/.well-known/oauth-protected-resource');
+
+    $response->assertStatus(200);
+    $response->assertJson([
+        'resource' => url('/'),
+        'authorization_servers' => [url('/')],
+        'scopes_supported' => ['mcp:use'],
+    ]);
+
+    $response = $this->getJson('/.well-known/oauth-authorization-server');
+
+    $response->assertStatus(200);
+    $response->assertJson([
+        'issuer' => url('/'),
+    ]);
+});