[v1.x] fix: canonicalize root protected resource URIs#2463
Open
lawrence3699 wants to merge 1 commit intomodelcontextprotocol:v1.xfrom
Open
[v1.x] fix: canonicalize root protected resource URIs#2463lawrence3699 wants to merge 1 commit intomodelcontextprotocol:v1.xfrom
lawrence3699 wants to merge 1 commit intomodelcontextprotocol:v1.xfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR fixes the .well-known/oauth-protected-resource JSON response for root-level resource and authorization_servers values by removing Pydantic’s implicit trailing /, aligning the output with the “Canonical Server URI” expectation in the spec (Fixes #1265).
Changes:
- Added a small canonicalization helper to remove the synthetic trailing
/only for host-only (root) server URIs. - Added Pydantic
field_serializers onProtectedResourceMetadata.resourceand.authorization_serversto apply this canonicalization in JSON output. - Updated the protected resource server integration test snapshot to expect the canonical (no trailing slash) URIs.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
src/mcp/shared/auth.py |
Adds JSON-only serialization logic to canonicalize root server URIs (strip implicit trailing /). |
tests/server/auth/test_protected_resource.py |
Updates snapshot expectation for root resource metadata response to omit trailing /. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #1265.
ProtectedResourceMetadatawas serializing host-onlyresourceandauthorization_serversvalues with Pydantic's implicit trailing/, so a response like:{"resource":"https://example.com/","authorization_servers":["https://auth.example.com/"]}was emitted for root-level servers.
This change keeps route registration and path-bearing URLs unchanged, and only canonicalizes those host-only server URIs in the JSON response.
Test plan
uv run --frozen pytest tests/server/auth/test_protected_resource.py -quv run --frozen pytest tests/client/test_auth.py -q -k 'validate_resource_accepts_root_url_with_trailing_slash or protected_resource_metadata'uv run --frozen ruff check src/mcp/shared/auth.py tests/server/auth/test_protected_resource.pyuv run --frozen pyright src/mcp/shared/auth.py