It seems there is a call to ".well-known/openid-configuration" while the mcp auth spec does not highlight this #23
Description
Hello team,
Just wanted to reach out with the following issue.
We are using this mcp-security with our MCP server.
Our auth server is a third-party auth server.
Important:
1 - This third-party auth server has a /.well-known/oauth-authorization-server endpoint.
2- However, this third-party auth server does NOT have the /.well-known/openid-configuration endpoint.
Furthermore, with that said, looking at the current MCP auth spec, version 2025-06-18, we can see the mention of /.well-known/oauth-authorization-server, but not /.well-known/openid-configuration. Somehow, this third-party auth server seems not to be wrong, they are following the official spec
https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization#sequence-diagram
The issue is that the current security configuration seems to look for /.well-known/openid-configuration, while this is not in the spec.
Here is our configuration, following the repo examples:
@Configuration
class SecurityConfiguration {
private static final String MCP_RESOURCE_PATH = "/mcp";
private static final String BEARER_METHOD = "header";
@Value("${spring.security.oauth2.resourceserver.jwt.uri}")
private String jwtIssuerUrl;
@Value("${spring.security.oauth2.resourceserver.authorization.uri}")
private String authorizationServerUrl;
@Bean
SecurityFilterChain securityFilterChain(final HttpSecurity http) throws Exception {
return http.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> authorizationManagerRequestMatcherRegistry.anyRequest().authenticated())
.with(mcpServerOAuth2(), this::getMcpServerOAuth2Configurer).build();
}
private void getMcpServerOAuth2Configurer(final McpServerOAuth2Configurer mcpServer) {
mcpServer.authorizationServer(jwtIssuerUrl).protectedResourceMetadataCustomizer(this::getProtectedResourceMetadataCustomizer).resourcePath(MCP_RESOURCE_PATH);
}
private void getProtectedResourceMetadataCustomizer(final OAuth2ProtectedResourceMetadata.Builder builder) {
builder.authorizationServer(authorizationServerUrl).bearerMethod(BEARER_METHOD);
}
}
The reason why I said it "seems" to call /.well-known/openid-configuration, is because:
1 - We asked the third-party auth server for access logs, and it seems there is a call to /.well-known/openid-configuration as the first call of our mcp server to them
2 - We tried both the localhost version (SampleAuthorizationServerApplication), as well as another third-party (but we don't have a business contract with them, just to test this issue), and it seems there is a call to /.well-known/openid-configuration. It seems if the auth server supports /.well-known/openid-configuration, it is working.
While for us, we are with the below stack trace when the auth server is not supporting /.well-known/openid-configuration
Issue:
Is it true that the current mcp-security requires the auth server to support /.well-known/openid-configuration ?
If an auth server follows the current version of the spec, does not support the /.well-known/openid-configuration endpoint, but does support /.well-known/oauth-authorization-server, what is the proper configuration ?
Finally, how to resolve this :
Java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of "https://third-party/auth/azure"
at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfiguration(JwtDecoderProviderConfigurationUtils.java:176) ~[spring-security-oauth2-jose-6.5.7.jar:6.5.7] ?
Caused by: java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of "https://third-party/auth/azure"
at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfiguration(JwtDecoderProviderConfigurationUtils.java:176) ~[spring-security-oauth2-jose-6.5.7.jar:6.5.7]
at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfigurationForIssuerLocation(JwtDecoderProviderConfigurationUtils.java:88) ~[spring-security-oauth2-jose-6.5.7.jar:6.5.7]
at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.lambda$withIssuerLocation$2(NimbusJwtDecoder.java:230) ~[spring-security-oauth2-jose-6.5.7.jar:6.5.7]
at org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.jwkSource(NimbusJwtDecoder.java:439) ~[spring-security-oauth2-jose-6.5.7.jar:6.5.7]
at org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.processor(NimbusJwtDecoder.java:448) ~[spring-security-oauth2-jose-6.5.7.jar:6.5.7]
at org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.build(NimbusJwtDecoder.java:464) ~[spring-security-oauth2-jose-6.5.7.jar:6.5.7]
at org.springaicommunity.mcp.security.server.config.McpServerOAuth2Configurer.getJwtDecoder(McpServerOAuth2Configurer.java:136) ~[mcp-server-security-0.0.4.jar:0.0.4]
at org.springaicommunity.mcp.security.server.config.McpServerOAuth2Configurer.lambda$init$0(McpServerOAuth2Configurer.java:127) ~[mcp-server-security-0.0.4.jar:0.0.4]
at org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.jwt(OAuth2ResourceServerConfigurer.java:234) ~[spring-security-config-6.5.7.jar:6.5.7]
at org.springaicommunity.mcp.security.server.config.McpServerOAuth2Configurer.lambda$init$1(McpServerOAuth2Configurer.java:127) ~[mcp-server-security-0.0.4.jar:0.0.4]
at org.springframework.security.config.annotation.web.builders.HttpSecurity.oauth2ResourceServer(HttpSecurity.java:3001) ~[spring-security-config-6.5.7.jar:6.5.7]
at org.springaicommunity.mcp.security.server.config.McpServerOAuth2Configurer.init(McpServerOAuth2Configurer.java:126) ~[mcp-server-security-0.0.4.jar:0.0.4]
at org.springaicommunity.mcp.security.server.config.McpServerOAuth2Configurer.init(McpServerOAuth2Configurer.java:43) ~[mcp-server-security-0.0.4.jar:0.0.4]
at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.init(AbstractConfiguredSecurityBuilder.java:388) ~[spring-security-config-6.5.7.jar:6.5.7]
at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:350) ~[spring-security-config-6.5.7.jar:6.5.7]
at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:38) ~[spring-security-config-6.5.7.jar:6.5.7]
... 24 common frames omitted
Caused by: org.springframework.web.client.UnknownContentTypeException: Could not extract response: no suitable HttpMessageConverter found for response type [java.util.Map<java.lang.String, java.lang.Object>] and content type [text/html;charset=utf-8]
at org.springframework.web.client.HttpMessageConverterExtractor.extractData(HttpMessageConverterExtractor.java:133) ~[spring-web-6.2.14.jar:6.2.14]
at org.springframework.web.client.RestTemplate$ResponseEntityResponseExtractor.extractData(RestTemplate.java:1183) ~[spring-web-6.2.14.jar:6.2.14]
at org.springframework.web.client.RestTemplate$ResponseEntityResponseExtractor.extractData(RestTemplate.java:1166) ~[spring-web-6.2.14.jar:6.2.14]
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:903) ~[spring-web-6.2.14.jar:6.2.14]
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:751) ~[spring-web-6.2.14.jar:6.2.14]
at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfiguration(JwtDecoderProviderConfigurationUtils.java:165) ~[spring-security-oauth2-jose-6.5.7.jar:6.5.7]
... 48 common frames omitted