Make metadata more spec compliant

Author: praboud-ant

src/mcp/server/auth/router.py

@@ -1,6 +1,7 @@
 from dataclasses import dataclass
+from typing import Callable
 
-from pydantic import AnyUrl
+from pydantic import AnyHttpUrl
 from starlette.routing import Route, Router
 
 from mcp.server.auth.handlers.authorize import AuthorizationHandler
@@ -24,7 +25,7 @@ class RevocationOptions:
     enabled: bool = False
 
 
-def validate_issuer_url(url: AnyUrl):
+def validate_issuer_url(url: AnyHttpUrl):
     """
     Validate that the issuer URL meets OAuth 2.0 requirements.
 
@@ -58,8 +59,8 @@ def validate_issuer_url(url: AnyUrl):
 
 def create_auth_router(
     provider: OAuthServerProvider,
-    issuer_url: AnyUrl,
-    service_documentation_url: AnyUrl | None = None,
+    issuer_url: AnyHttpUrl,
+    service_documentation_url: AnyHttpUrl | None = None,
     client_registration_options: ClientRegistrationOptions | None = None,
     revocation_options: RevocationOptions | None = None,
 ) -> Router:
@@ -134,34 +135,61 @@ def create_auth_router(
     return auth_router
 
 
+def modify_url_path(url: AnyHttpUrl, path_mapper: Callable[[str], str]) -> AnyHttpUrl:
+    return AnyHttpUrl.build(
+        scheme=url.scheme,
+        username=url.username,
+        password=url.password,
+        host=url.host,
+        port=url.port,
+        path=path_mapper(url.path or ""),
+        query=url.query,
+        fragment=url.fragment,
+    )
+
+
 def build_metadata(
-    issuer_url: AnyUrl,
-    service_documentation_url: AnyUrl | None,
+    issuer_url: AnyHttpUrl,
+    service_documentation_url: AnyHttpUrl | None,
     client_registration_options: ClientRegistrationOptions,
     revocation_options: RevocationOptions,
 ) -> OAuthMetadata:
-    issuer_url_str = str(issuer_url).rstrip("/")
+    authorization_url = modify_url_path(
+        issuer_url, lambda path: path.rstrip("/") + AUTHORIZATION_PATH.lstrip("/")
+    )
+    token_url = modify_url_path(
+        issuer_url, lambda path: path.rstrip("/") + TOKEN_PATH.lstrip("/")
+    )
     # Create metadata
     metadata = OAuthMetadata(
-        issuer=issuer_url_str,
-        service_documentation=str(service_documentation_url).rstrip("/")
-        if service_documentation_url
-        else None,
-        authorization_endpoint=f"{issuer_url_str}{AUTHORIZATION_PATH}",
+        issuer=issuer_url,
+        authorization_endpoint=authorization_url,
+        token_endpoint=token_url,
+        scopes_supported=None,
         response_types_supported=["code"],
-        code_challenge_methods_supported=["S256"],
-        token_endpoint=f"{issuer_url_str}{TOKEN_PATH}",
-        token_endpoint_auth_methods_supported=["client_secret_post"],
+        response_modes_supported=None,
         grant_types_supported=["authorization_code", "refresh_token"],
+        token_endpoint_auth_methods_supported=["client_secret_post"],
+        token_endpoint_auth_signing_alg_values_supported=None,
+        service_documentation=service_documentation_url,
+        ui_locales_supported=None,
+        op_policy_uri=None,
+        op_tos_uri=None,
+        introspection_endpoint=None,
+        code_challenge_methods_supported=["S256"],
     )
 
     # Add registration endpoint if supported
     if client_registration_options.enabled:
-        metadata.registration_endpoint = f"{issuer_url_str}{REGISTRATION_PATH}"
+        metadata.registration_endpoint = modify_url_path(
+            issuer_url, lambda path: path.rstrip("/") + REGISTRATION_PATH.lstrip("/")
+        )
 
     # Add revocation endpoint if supported
     if revocation_options.enabled:
-        metadata.revocation_endpoint = f"{issuer_url_str}{REVOCATION_PATH}"
+        metadata.revocation_endpoint = modify_url_path(
+            issuer_url, lambda path: path.rstrip("/") + REVOCATION_PATH.lstrip("/")
+        )
         metadata.revocation_endpoint_auth_methods_supported = ["client_secret_post"]
 
     return metadata

src/mcp/server/fastmcp/server.py

@@ -14,7 +14,7 @@
 import anyio
 import pydantic_core
 import uvicorn
-from pydantic import BaseModel, Field
+from pydantic import AnyHttpUrl, BaseModel, Field
 from pydantic.networks import AnyUrl
 from pydantic_settings import BaseSettings, SettingsConfigDict
 from sse_starlette import EventSourceResponse
@@ -113,9 +113,13 @@ class Settings(BaseSettings, Generic[LifespanResultT]):
         Callable[["FastMCP"], AbstractAsyncContextManager[LifespanResultT]] | None
     ) = Field(None, description="Lifespan context manager")
 
-    auth_issuer_url: AnyUrl | None = Field(None, description="Auth issuer URL")
-    auth_service_documentation_url: AnyUrl | None = Field(
-        None, description="Service documentation URL"
+    auth_issuer_url: AnyHttpUrl | None = Field(
+        None,
+        description="URL advertised as OAuth issuer; this should be the URL the server "
+        "is reachable at",
+    )
+    auth_service_documentation_url: AnyHttpUrl | None = Field(
+        None, description="Service documentation URL advertised by OAuth"
     )
     auth_client_registration_options: ClientRegistrationOptions | None = None
     auth_revocation_options: RevocationOptions | None = None

src/mcp/shared/auth.py

@@ -24,10 +24,10 @@ class OAuthClientMetadata(BaseModel):
 
     redirect_uris: List[AnyHttpUrl] = Field(..., min_length=1)
     # token_endpoint_auth_method: this implementation only supports none &
-    # client_secret_basic;
-    # ie: we do not support client_secret_post
-    token_endpoint_auth_method: Literal["none", "client_secret_basic"] = (
-        "client_secret_basic"
+    # client_secret_post;
+    # ie: we do not support client_secret_basic
+    token_endpoint_auth_method: Literal["none", "client_secret_post"] = (
+        "client_secret_post"
     )
     # grant_types: this implementation only supports authorization_code & refresh_token
     grant_types: List[Literal["authorization_code", "refresh_token"]] = [
@@ -66,23 +66,35 @@ class OAuthClientInformationFull(OAuthClientMetadata):
 class OAuthMetadata(BaseModel):
     """
     RFC 8414 OAuth 2.0 Authorization Server Metadata.
+    See https://datatracker.ietf.org/doc/html/rfc8414#section-2
     """
 
-    issuer: str
-    authorization_endpoint: str
-    token_endpoint: str
-    registration_endpoint: Optional[str] = None
-    scopes_supported: Optional[List[str]] = None
-    response_types_supported: List[str]
-    response_modes_supported: Optional[List[str]] = None
-    grant_types_supported: Optional[List[str]] = None
-    token_endpoint_auth_methods_supported: Optional[List[str]] = None
-    token_endpoint_auth_signing_alg_values_supported: Optional[List[str]] = None
-    service_documentation: Optional[str] = None
-    revocation_endpoint: Optional[str] = None
-    revocation_endpoint_auth_methods_supported: Optional[List[str]] = None
-    revocation_endpoint_auth_signing_alg_values_supported: Optional[List[str]] = None
-    introspection_endpoint: Optional[str] = None
-    introspection_endpoint_auth_methods_supported: Optional[List[str]] = None
-    introspection_endpoint_auth_signing_alg_values_supported: Optional[List[str]] = None
-    code_challenge_methods_supported: Optional[List[str]] = None
+    issuer: AnyHttpUrl
+    authorization_endpoint: AnyHttpUrl
+    token_endpoint: AnyHttpUrl
+    registration_endpoint: AnyHttpUrl | None = None
+    scopes_supported: list[str] | None = None
+    response_types_supported: list[Literal["code"]] = ["code"]
+    response_modes_supported: list[Literal["query", "fragment"]] | None = None
+    grant_types_supported: (
+        list[Literal["authorization_code", "refresh_token"]] | None
+    ) = None
+    token_endpoint_auth_methods_supported: (
+        list[Literal["none", "client_secret_post"]] | None
+    ) = None
+    token_endpoint_auth_signing_alg_values_supported: None = None
+    service_documentation: AnyHttpUrl | None = None
+    ui_locales_supported: list[str] | None = None
+    op_policy_uri: AnyHttpUrl | None = None
+    op_tos_uri: AnyHttpUrl | None = None
+    revocation_endpoint: AnyHttpUrl | None = None
+    revocation_endpoint_auth_methods_supported: (
+        list[Literal["client_secret_post"]] | None
+    ) = None
+    revocation_endpoint_auth_signing_alg_values_supported: None = None
+    introspection_endpoint: AnyHttpUrl | None = None
+    introspection_endpoint_auth_methods_supported: (
+        list[Literal["client_secret_post"]] | None
+    ) = None
+    introspection_endpoint_auth_signing_alg_values_supported: None = None
+    code_challenge_methods_supported: list[Literal["S256"]] | None = None

tests/server/fastmcp/auth/test_auth_integration.py

@@ -15,7 +15,7 @@
 import httpx
 import pytest
 from httpx_sse import aconnect_sse
-from pydantic import AnyUrl
+from pydantic import AnyHttpUrl
 from starlette.applications import Starlette
 from starlette.routing import Mount
 
@@ -229,8 +229,8 @@ def auth_app(mock_oauth_provider):
     # Create auth router
     auth_router = create_auth_router(
         mock_oauth_provider,
-        AnyUrl("https://auth.example.com"),
-        AnyUrl("https://docs.example.com"),
+        AnyHttpUrl("https://auth.example.com"),
+        AnyHttpUrl("https://docs.example.com"),
         client_registration_options=ClientRegistrationOptions(enabled=True),
         revocation_options=RevocationOptions(enabled=True),
     )
@@ -373,7 +373,7 @@ async def test_metadata_endpoint(self, test_client: httpx.AsyncClient):
         assert response.status_code == 200
 
         metadata = response.json()
-        assert metadata["issuer"] == "https://auth.example.com"
+        assert metadata["issuer"] == "https://auth.example.com/"
         assert (
             metadata["authorization_endpoint"] == "https://auth.example.com/authorize"
         )
@@ -389,7 +389,7 @@ async def test_metadata_endpoint(self, test_client: httpx.AsyncClient):
             "authorization_code",
             "refresh_token",
         ]
-        assert metadata["service_documentation"] == "https://docs.example.com"
+        assert metadata["service_documentation"] == "https://docs.example.com/"
 
     @pytest.mark.anyio
     async def test_token_validation_error(self, test_client: httpx.AsyncClient):