Too strict resource name validation 0.17.0 #855
Description
Inspector Version
- 0.17.0
Describe the bug
I'm getting error "Protected resource api://mycompany.com/subdivision/myservice does not match expected https://api.test.subdivison.mycompany.com/myservice/mcp (or origin)" My API is exposed via different endpoints (like Application Gateway, Azure API Management Service, from internal network Container App Environment Application Url...), which all have different domains. Official RFC https://datatracker.ietf.org/doc/html/rfc8707#name-resource-parameter is using a word MAY in sentence "The resource parameter URI value is an identifier representing the identity of the resource, which MAY be a locator that corresponds to a network-addressable location".
RFC also states "The parameter value identifies a resource to which the client is requesting access. The parameter can carry the location of a protected resource, typically as an https URL or a more abstract identifier."
To Reproduce
Steps to reproduce the behavior:
- npx @modelcontextprotocol/inspector
- open http://localhost:6274/?MCP_PROXY_AUTH_TOKEN=....
- Change Transport Type to Streamable HTTP
- Enter URL to https://api.test.subdivision.mycompany.com/myservice/mcp
- Click Open Auth Settings
- Click Guided OAuth Flow
- Click Continue
- Observe response from https://api.test.subdivision.mycompany.com/.well-known/oauth-protected-resource/myservice/mcp is returning
{
"resource": "api://mycompany.com/subdivision/myservice",
"authorization_servers": [
"https://identity-test.mycompany.com"
],
"bearer_methods_supported": [
"header"
],
"scopes_supported": [
"myservice"
]
} - ISSUE error is shown "Protected resource api://mycompany.com/subdivision/myservice does not match expected https://api.test.subdivision.mycompany.com/myservice/mcp (or origin)"
Expected behavior
Allow resource name to be any absolute URI.