OAuth routes silently override existing OAUTH discovery routes #138
Description
Laravel Package Version
0.5.2
Laravel Version
12.48.1
PHP Version
8.4
Database Driver & Version
N/A
Description
As Passport users, we already have a .well-known/oauth-authorization-server endpoint for metadata discovery. The route definition is overwritten by the MCP package with a wildcard route (.well-known/oauth-authorization-server/{path?}) that takes precedence over our route, and thus silently replaces the entire authorization server config we had in place.
I assume our use case (having Passport with a well-known discovery document in place, adding MCP) is a common one; the metadata discovery document is essential for many automation workflows and client discovery.
Breaking this expectation should be considered a bug; at least, the documentation should clearly describe what OAuth routes will be registered. Ideally, though, I'd like to be able to customise the registration (like e.g. Nova does, by giving me a PendingRouteRegistration instance that I can customise). Alternatively, adding boolean parameters to the oauthRoutes method for protected resources, metadata discovery, and client registration separately, I wouldn't have to recreate the endpoint routing manually.
Steps To Reproduce
Add an application route for .well-known/oauth-authorization-server, e.g.:
Route::get(`.well-known/oauth-authorization-server`, SomeController:class);Enable MCP OAuth routes:
Mcp::oauthRoutes('mcp/oauth');Check your route registration:
php artisan route:list --path .well-known/oauth
GET|HEAD .well-known/oauth-authorization-server ....... well_known.oauth_authorization_server › Global\WellKnownController@oauthAuthorizationServer
GET|HEAD .well-known/oauth-authorization-server/{path?} ............................................................ mcp.oauth.authorization-server
GET|HEAD .well-known/oauth-protected-resource/{path?} ................................................................ mcp.oauth.protected-resource
Showing [3] routes