@@ -671,42 +671,54 @@ export function buildDiscoveryUrls(authorizationServerUrl: string | URL): { url:
671
671
const hasPath = url . pathname !== '/' ;
672
672
const urlsToTry : { url : URL ; type : 'oauth' | 'oidc' } [ ] = [ ] ;
673
673
674
- // 1. OAuth metadata at the given URL
675
- urlsToTry . push ( {
676
- url : new URL (
677
- buildWellKnownPath ( 'oauth-authorization-server' , hasPath ? url . pathname : '' ) ,
678
- url . origin
679
- ) ,
680
- type : 'oauth'
681
- } ) ;
682
674
683
- // 2. OAuth metadata at root ( if URL has path)
684
- if ( hasPath ) {
675
+ if ( ! hasPath ) {
676
+ // Root path: https://example.com/.well-known/oauth-authorization-server
685
677
urlsToTry . push ( {
686
- url : new URL ( buildWellKnownPath ( ' oauth-authorization-server') , url . origin ) ,
678
+ url : new URL ( '/.well-known/ oauth-authorization-server', url . origin ) ,
687
679
type : 'oauth'
688
680
} ) ;
689
- }
690
681
691
- // 3. OIDC metadata endpoints
692
- if ( hasPath ) {
693
- // RFC 8414 style: Insert /.well-known/openid-configuration before the path
694
- urlsToTry . push ( {
695
- url : new URL ( buildWellKnownPath ( 'openid-configuration' , url . pathname ) , url . origin ) ,
696
- type : 'oidc'
697
- } ) ;
698
- // OIDC Discovery 1.0 style: Append /.well-known/openid-configuration after the path
682
+ // OIDC: https://example.com/.well-known/openid-configuration
699
683
urlsToTry . push ( {
700
- url : new URL ( buildWellKnownPath ( 'openid-configuration' , url . pathname , { prependPathname : true } ) , url . origin ) ,
701
- type : 'oidc'
702
- } ) ;
703
- } else {
704
- urlsToTry . push ( {
705
- url : new URL ( buildWellKnownPath ( 'openid-configuration' ) , url . origin ) ,
684
+ url : new URL ( `/.well-known/openid-configuration` , url . origin ) ,
706
685
type : 'oidc'
707
686
} ) ;
687
+
688
+ return urlsToTry ;
689
+ }
690
+
691
+ // Strip trailing slash from pathname to avoid double slashes
692
+ let pathname = url . pathname ;
693
+ if ( pathname . endsWith ( '/' ) ) {
694
+ pathname = pathname . slice ( 0 , - 1 ) ;
708
695
}
709
696
697
+ // 1. OAuth metadata at the given URL
698
+ // Insert well-known before the path: https://example.com/.well-known/oauth-authorization-server/tenant1
699
+ urlsToTry . push ( {
700
+ url : new URL ( `/.well-known/oauth-authorization-server${ pathname } ` , url . origin ) ,
701
+ type : 'oauth'
702
+ } ) ;
703
+
704
+ // Root path: https://example.com/.well-known/oauth-authorization-server
705
+ urlsToTry . push ( {
706
+ url : new URL ( '/.well-known/oauth-authorization-server' , url . origin ) ,
707
+ type : 'oauth'
708
+ } ) ;
709
+
710
+ // 3. OIDC metadata endpoints
711
+ // RFC 8414 style: Insert /.well-known/openid-configuration before the path
712
+ urlsToTry . push ( {
713
+ url : new URL ( `/.well-known/openid-configuration${ pathname } ` , url . origin ) ,
714
+ type : 'oidc'
715
+ } ) ;
716
+ // OIDC Discovery 1.0 style: Append /.well-known/openid-configuration after the path
717
+ urlsToTry . push ( {
718
+ url : new URL ( `${ pathname } /.well-known/openid-configuration` , url . origin ) ,
719
+ type : 'oidc'
720
+ } ) ;
721
+
710
722
return urlsToTry ;
711
723
}
712
724
0 commit comments