Fix /.well-known/oauth-authorization-server dropping path

Author: ihrpr

src/mcp/client/auth.py

@@ -200,11 +200,19 @@ async def _handle_protected_resource_response(self, response: httpx.Response) ->
     async def _discover_oauth_metadata(self) -> httpx.Request:
         """Build OAuth metadata discovery request."""
         if self.context.auth_server_url:
-            base_url = self.context.get_authorization_base_url(self.context.auth_server_url)
+            auth_server_url = self.context.auth_server_url
         else:
-            base_url = self.context.get_authorization_base_url(self.context.server_url)
+            auth_server_url = self.context.server_url
 
-        url = urljoin(base_url, "/.well-known/oauth-authorization-server")
+        # Per RFC 8414, preserve the path component when constructing discovery URL
+        parsed = urlparse(auth_server_url)
+        well_known_path = f"/.well-known/oauth-authorization-server{parsed.path}"
+        if parsed.path.endswith("/"):
+            # Strip trailing slash from pathname
+            well_known_path = well_known_path[:-1]
+
+        base_url = f"{parsed.scheme}://{parsed.netloc}"
+        url = urljoin(base_url, well_known_path)
         return httpx.Request("GET", url, headers={MCP_PROTOCOL_VERSION: LATEST_PROTOCOL_VERSION})
 
     async def _handle_oauth_metadata_response(self, response: httpx.Response) -> None:

tests/client/test_auth.py

@@ -208,10 +208,58 @@ async def test_discover_oauth_metadata_request(self, oauth_provider):
         """Test OAuth metadata discovery request building."""
         request = await oauth_provider._discover_oauth_metadata()
 
+        assert request.method == "GET"
+        assert str(request.url) == "https://api.example.com/.well-known/oauth-authorization-server/v1/mcp"
+        assert "mcp-protocol-version" in request.headers
+
+    @pytest.mark.anyio
+    async def test_discover_oauth_metadata_request_no_path(self, client_metadata, mock_storage):
+        """Test OAuth metadata discovery request building when server has no path."""
+
+        async def redirect_handler(url: str) -> None:
+            pass
+
+        async def callback_handler() -> tuple[str, str | None]:
+            return "test_auth_code", "test_state"
+
+        provider = OAuthClientProvider(
+            server_url="https://api.example.com",
+            client_metadata=client_metadata,
+            storage=mock_storage,
+            redirect_handler=redirect_handler,
+            callback_handler=callback_handler,
+        )
+
+        request = await provider._discover_oauth_metadata()
+
         assert request.method == "GET"
         assert str(request.url) == "https://api.example.com/.well-known/oauth-authorization-server"
         assert "mcp-protocol-version" in request.headers
 
+    @pytest.mark.anyio
+    async def test_discover_oauth_metadata_request_trailing_slash(self, client_metadata, mock_storage):
+        """Test OAuth metadata discovery request building when server path has trailing slash."""
+
+        async def redirect_handler(url: str) -> None:
+            pass
+
+        async def callback_handler() -> tuple[str, str | None]:
+            return "test_auth_code", "test_state"
+
+        provider = OAuthClientProvider(
+            server_url="https://api.example.com/v1/mcp/",
+            client_metadata=client_metadata,
+            storage=mock_storage,
+            redirect_handler=redirect_handler,
+            callback_handler=callback_handler,
+        )
+
+        request = await provider._discover_oauth_metadata()
+
+        assert request.method == "GET"
+        assert str(request.url) == "https://api.example.com/.well-known/oauth-authorization-server/v1/mcp"
+        assert "mcp-protocol-version" in request.headers
+
     @pytest.mark.anyio
     async def test_register_client_request(self, oauth_provider):
         """Test client registration request building."""