Fix DX-114676: OAuth discovery fails with "does not implement OAuth" error

ktsunoda · ktsunoda · commit 2a1e0098029c · 2026-02-23T12:53:25.000-06:00
New MCP connections to staging/qa fail with "MCP server does not implement OAuth" error starting around Feb 12, 2026, while existing connections continue to work. Root cause: The MCP SDK's OAuthMetadata model uses AnyHttpUrl for the issuer field, which automatically adds a trailing slash during Pydantic serialization. This violates RFC 8414 Section 3.2, which requires the issuer field in OAuth metadata to exactly match the discovery URL (without trailing slash). Example: - Discovery URL: https://login.dremio.cloud/.well-known/oauth-authorization-server - Issuer returned: https://login.dremio.cloud/ (with trailing slash) - RFC 8414 requirement: Issuer must be https://login.dremio.cloud (no trailing slash) Modern OAuth clients (Claude Desktop after Feb 12, 2026) enforce strict RFC 8414 compliance and reject metadata with mismatched issuer URLs. Create OAuthMetadataRFC8414 class that extends OAuthMetadata and uses Pydantic's @field_serializer decorator to strip the trailing slash from the issuer field during serialization. This is a clean, targeted fix that maintains RFC 8414 compliance without manual dict manipulation. Added test_oauth_discovery_rfc8414_compliance that validates the issuer field does not have a trailing slash, ensuring RFC 8414 compliance.
diff --git a/src/dremioai/servers/mcp.py b/src/dremioai/servers/mcp.py
@@ -20,13 +20,25 @@
 from mcp.cli.claude import get_claude_config_path
 from mcp.shared.auth import OAuthMetadata
 from mcp.types import ToolAnnotations
-from pydantic import AnyHttpUrl
+from pydantic import AnyHttpUrl, field_serializer
 from pydantic.networks import AnyUrl
 
 from dremioai.metrics.registry import get_metrics_app
 from starlette.requests import Request
 from starlette.responses import Response
 
+
+class OAuthMetadataRFC8414(OAuthMetadata):
+    """RFC 8414 compliant OAuth metadata that strips trailing slash from issuer URL.
+
+    The MCP SDK's OAuthMetadata uses AnyHttpUrl for the issuer field, which adds
+    a trailing slash during serialization. RFC 8414 Section 3.2 requires the issuer
+    to exactly match the discovery URL without trailing slash.
+    """
+    @field_serializer('issuer')
+    def serialize_issuer(self, value: AnyHttpUrl) -> str:
+        return str(value).rstrip('/')
+
 from dremioai.tools import tools
 import os
 from typing import List, Union, Annotated, Optional, Tuple, Dict, Any
@@ -180,7 +192,7 @@ def init(
     async def authorization_server_metadata(request: Request) -> Response:
         if issuer := settings.instance().dremio.auth_issuer_uri:
             auth, tok = settings.instance().dremio.auth_endpoints
-            md = OAuthMetadata(
+            md = OAuthMetadataRFC8414(
                 issuer=AnyHttpUrl(issuer),
                 authorization_endpoint=auth,
                 token_endpoint=tok,
diff --git a/tests/e2e/test_mcp_e2e.py b/tests/e2e/test_mcp_e2e.py
@@ -50,6 +50,59 @@ async def test_healthz(mock_config_dir, logging_server, logging_level):
             ), f"/healthz failed with {r.text}, {r.status_code}"
 
 
+@pytest.mark.asyncio
+async def test_oauth_discovery_rfc8414_compliance(mock_config_dir, logging_server, logging_level):
+    """Test that OAuth discovery fails with trailing slash (reproduces DX-114676).
+
+    This test reproduces the issue that started happening around Feb 12, 2026 when
+    Claude Desktop clients were updated to strictly validate RFC 8414 Section 3.2,
+    which requires the issuer field in OAuth metadata to exactly match the discovery URL.
+
+    The bug: AnyHttpUrl adds a trailing slash to the issuer URL, causing strict clients
+    to reject the OAuth metadata because the issuer doesn't match the discovery URL.
+    """
+    async with http_streamable_mcp_server(logging_server, logging_level) as sf:
+        async with AsyncClient() as client:
+            oauth_url = urlparse(sf.mcp_server.url)._replace(
+                path="/.well-known/oauth-authorization-server"
+            ).geturl()
+
+            from dremioai.config import settings as settings_module
+            old_settings = settings_module.instance()
+            try:
+                settings_module._settings.set(
+                    settings_module.Settings.model_validate(
+                        {
+                            "dremio": {
+                                "uri": "https://api.dremio.cloud",
+                                "pat": "test-pat",
+                            },
+                            "tools": {"server_mode": "FOR_SELF"},
+                        }
+                    )
+                )
+
+                r = await client.get(oauth_url)
+
+                if r.status_code == 404:
+                    pytest.skip("OAuth not configured for this test environment")
+
+                assert r.status_code == 200, f"OAuth metadata endpoint failed: {r.text}"
+
+                data = r.json()
+                issuer_from_metadata = data["issuer"]
+
+                if issuer_from_metadata.endswith('/'):
+                    pytest.fail(
+                        f"RFC 8414 Section 3.2 violation: issuer has trailing slash.\n"
+                        f"Got: {issuer_from_metadata}\n"
+                        f"This causes OAuth discovery to fail with strict clients (Claude Desktop after Feb 12, 2026).\n"
+                        f"The issuer field MUST exactly match the discovery URL without trailing slash."
+                    )
+            finally:
+                settings_module._settings.set(old_settings)
+
+
 @pytest.mark.asyncio
 @pytest.mark.parametrize(
     "engine_name",
