fix: include resource_metadata in all 401 WWW-Authenticate responses

Olivier Gintrand · Olivier Gintrand · commit 3dbb6b23c5b1 · 2026-04-13T12:25:33.000+02:00
Move the per-server OAuth enforcement check before the empty-bearer and strict-mode checks in _auth_no_token(), and propagate the enriched WWW-Authenticate header (with RFC 9728 resource_metadata attribute) to all 401 responses. Previously, when a client sent an empty Bearer header to an OAuth-enabled server, the empty-bearer check fired first and returned a generic 'Bearer' WWW-Authenticate without the resource_metadata URL. MCP clients (Open WebUI, VS Code) could not discover the OAuth authorization server to initiate the flow. Now the per-server check always runs first, so if the target server has oauth_enabled=true, the 401 response includes the resource_metadata attribute regardless of which check triggers the rejection. Fixes #3990 Signed-off-by: Olivier Gintrand <olivier.gintrand@forterro.com>
diff --git a/mcpgateway/transports/streamablehttp_transport.py b/mcpgateway/transports/streamablehttp_transport.py
@@ -3481,15 +3481,11 @@ async def _auth_no_token(self, *, path: str, bearer_header_supplied: bool) -> bo
         Returns:
             True if the request is allowed with public-only access, False if rejected.
         """
-        # If client supplied a Bearer header but with empty credentials, fail closed
-        if bearer_header_supplied:
-            return await self._send_error(detail="Invalid authentication credentials", headers={"WWW-Authenticate": "Bearer"})
-
-        # Per-server OAuth enforcement MUST run before the global auth check so that
-        # oauth_enabled servers always return 401 with resource_metadata URL (RFC 9728).
-        # Without this, strict mode (mcp_require_auth=True) returns a generic
-        # WWW-Authenticate: Bearer with no resource_metadata, and MCP clients cannot
-        # discover the OAuth server to authenticate.  (Fixes #3752)
+        # Build the WWW-Authenticate header, enriching it with RFC 9728
+        # resource_metadata when the target server has OAuth enabled.
+        # This must happen before any 401 response so that MCP clients
+        # (e.g. Open WebUI, VS Code) can discover the OAuth flow.
+        www_auth = "Bearer"
         match = _SERVER_ID_RE.search(path)
         if match:
             per_server_id = match.group("server_id")
@@ -3503,9 +3499,13 @@ async def _auth_no_token(self, *, path: str, bearer_header_supplied: bool) -> bo
                 logger.exception("OAuth enforcement check failed for server %s", per_server_id)
                 return await self._send_error(detail="Service unavailable — unable to verify server authentication requirements", status_code=503)
 
-        # Strict mode: require authentication (non-OAuth servers get generic 401)
+        # If client supplied a Bearer header but with empty credentials, fail closed
+        if bearer_header_supplied:
+            return await self._send_error(detail="Invalid authentication credentials", headers={"WWW-Authenticate": www_auth})
+
+        # Strict mode: require authentication
         if settings.mcp_require_auth:
-            return await self._send_error(detail="Authentication required for MCP endpoints", headers={"WWW-Authenticate": "Bearer"})
+            return await self._send_error(detail="Authentication required for MCP endpoints", headers={"WWW-Authenticate": www_auth})
 
         # Permissive mode: allow unauthenticated access with public-only scope
         # Set context indicating unauthenticated user with public-only access (teams=[])
