DX-114676: Unable to connect MCP server app (Trailing slash in OAuthMetadata's issuer causes issues with clients)#85
Merged
Conversation
|
|
ktsunoda
force-pushed
the
DX-114676
branch
4 times, most recently
from
2ff9755 to
c73302a
Compare
…error New MCP connections to staging/qa fail with "MCP server does not implement OAuth" error starting around Feb 12, 2026, while existing connections continue to work. Root cause: The MCP SDK's OAuthMetadata model uses AnyHttpUrl for the issuer field, which automatically adds a trailing slash during Pydantic serialization. This violates RFC 8414 Section 3.2, which requires the issuer field in OAuth metadata to exactly match the discovery URL (without trailing slash). Example: - Discovery URL: https://login.dremio.cloud/.well-known/oauth-authorization-server - Issuer returned: https://login.dremio.cloud/ (with trailing slash) - RFC 8414 requirement: Issuer must be https://login.dremio.cloud (no trailing slash) Modern OAuth clients (Claude Desktop after Feb 12, 2026) enforce strict RFC 8414 compliance and reject metadata with mismatched issuer URLs. Create OAuthMetadataRFC8414 class that extends OAuthMetadata and uses Pydantic's @field_serializer decorator to strip the trailing slash from the issuer field during serialization. This is a clean, targeted fix that maintains RFC 8414 compliance without manual dict manipulation. Added test_oauth_discovery_rfc8414_compliance that validates the issuer field does not have a trailing slash, ensuring RFC 8414 compliance.
maxlepikhin
previously approved these changes
Feb 23, 2026
aniket-s-kulkarni
requested changes
Feb 23, 2026
Contributor
aniket-s-kulkarni
left a comment
aniket-s-kulkarni
left a comment
There was a problem hiding this comment.
@ktsunoda Two small changes .. looks good overall.
Remove unnecessary settings override that was not needed for the test. The test only needs to verify the OAuth metadata endpoint returns an issuer without a trailing slash.
aniket-s-kulkarni
approved these changes
Feb 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue
New MCP connections COULD fail with "MCP server does not implement OAuth" error.
Root cause: The MCP SDK's OAuthMetadata model uses AnyHttpUrl for the issuer field, which automatically adds a trailing slash during Pydantic serialization. This violates RFC 8414 Section 3.2, which requires the issuer field in OAuth metadata to exactly match the discovery URL (without trailing slash).
Example:
https://login.dremio.cloud/.well-known/oauth-authorization-serverhttps://login.dremio.cloud/(with trailing slash)https://login.dremio.cloud(no trailing slash)Modern OAuth clients (Claude Desktop after Feb 12, 2026) enforce strict RFC 8414 compliance and reject metadata with mismatched issuer URLs.
Fix
Create
OAuthMetadataRFC8414class that extendsOAuthMetadataand uses Pydantic's@field_serializerdecorator to strip the trailing slash from the issuer field during serialization. This is a clean, targeted fix that maintains RFC 8414 compliance without manual dict manipulation.The class name clearly indicates RFC 8414 compliance, making it self-documenting for future developers.
Testing
Added
test_oauth_discovery_rfc8414_compliancethat validates the issuer field does not have a trailing slash, ensuring RFC 8414 compliance.Test results:
Note
The issue may have been resolved on the ChatGPT side. That said, making our code RFC 8414 compliant even if the MCP SDK has this bug, is a good idea, so proactively making this update. We will remove this hack if modelcontextprotocol/python-sdk#1919 ever gets merged.