From 133f8d8a822a07902ea9c594f1c560952609909c Mon Sep 17 00:00:00 2001 From: Allen Zhou <46854522+allenzhou101@users.noreply.github.com> Date: Tue, 11 Feb 2025 16:30:59 -0800 Subject: [PATCH 1/3] Explicitly define the Authorization Base URL --- .../draft/basic/authorization.md | 29 +++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/docs/specification/draft/basic/authorization.md b/docs/specification/draft/basic/authorization.md index 1432a89..903c50a 100644 --- a/docs/specification/draft/basic/authorization.md +++ b/docs/specification/draft/basic/authorization.md @@ -118,10 +118,28 @@ version. For example: `MCP-Protocol-Version: 2024-11-05` -#### 2.3.1 Fallbacks for Servers without Metadata Discovery +#### 2.3.2 Authorization Base URL + +The authorization base URL **MUST** be determined from the [SSE +endpoint]({{< ref "specification/draft/basic/transports#http-with-sse" >}}) URL by +preserving only the `scheme`, `hostname`, and `port` (if non-standard). For example: + +If the SSE endpoint is `https://api.example.com/v1/sse`, then: + +- The authorization base URL is `https://api.example.com` +- The metadata endpoint **MUST** be at + `https://api.example.com/.well-known/oauth-authorization-server` + +This ensures authorization endpoints are consistently located at the root level of the +domain serving the SSE endpoint, regardless of any path components in the SSE endpoint +URL. + +#### 2.3.3 Fallbacks for Servers without Metadata Discovery For servers that do not implement OAuth 2.0 Authorization Server Metadata, clients -**MUST** use the following default endpoint paths relative to the server's base URL: +**MUST** use the following default endpoint paths relative to the authorization base URL +(as defined in [Section +2.3.2]({{< ref "specification/draft/basic/authorization#232-authorization-base-url" >}})): | Endpoint | Default Path | Description | | ---------------------- | ------------ | ------------------------------------ | @@ -129,6 +147,13 @@ For servers that do not implement OAuth 2.0 Authorization Server Metadata, clien | Token Endpoint | /token | Used for token exchange & refresh | | Registration Endpoint | /register | Used for dynamic client registration | +For example, with an SSE endpoint of `https://api.example.com/v1/sse`, the default +endpoints would be: + +- `https://api.example.com/authorize` +- `https://api.example.com/token` +- `https://api.example.com/register` + Clients **MUST** first attempt to discover endpoints via the metadata document before falling back to default paths. When using default paths, all other protocol requirements remain unchanged. From f5b70613a69fbfac57a367bd466ad49b627df48f Mon Sep 17 00:00:00 2001 From: Allen Zhou <46854522+allenzhou101@users.noreply.github.com> Date: Fri, 14 Feb 2025 10:39:08 -0800 Subject: [PATCH 2/3] Specify base url is path replacement Co-authored-by: Justin Spahr-Summers --- docs/specification/draft/basic/authorization.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/specification/draft/basic/authorization.md b/docs/specification/draft/basic/authorization.md index 903c50a..46081ed 100644 --- a/docs/specification/draft/basic/authorization.md +++ b/docs/specification/draft/basic/authorization.md @@ -121,8 +121,7 @@ For example: `MCP-Protocol-Version: 2024-11-05` #### 2.3.2 Authorization Base URL The authorization base URL **MUST** be determined from the [SSE -endpoint]({{< ref "specification/draft/basic/transports#http-with-sse" >}}) URL by -preserving only the `scheme`, `hostname`, and `port` (if non-standard). For example: +endpoint]({{< ref "specification/draft/basic/transports#http-with-sse" >}}) URL by discarding any existing `path` component. For example: If the SSE endpoint is `https://api.example.com/v1/sse`, then: From ff27987e43c6985e771008d3a6a8f0d926cf5107 Mon Sep 17 00:00:00 2001 From: Allen Zhou <46854522+allenzhou101@users.noreply.github.com> Date: Fri, 14 Feb 2025 10:46:37 -0800 Subject: [PATCH 3/3] Update authorization.md --- docs/specification/draft/basic/authorization.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/specification/draft/basic/authorization.md b/docs/specification/draft/basic/authorization.md index 8eef1ed..97b1dde 100644 --- a/docs/specification/draft/basic/authorization.md +++ b/docs/specification/draft/basic/authorization.md @@ -121,7 +121,8 @@ For example: `MCP-Protocol-Version: 2024-11-05` #### 2.3.2 Authorization Base URL The authorization base URL **MUST** be determined from the [SSE -endpoint]({{< ref "specification/draft/basic/transports#http-with-sse" >}}) URL by discarding any existing `path` component. For example: +endpoint]({{< ref "specification/draft/basic/transports#http-with-sse" >}}) URL by +discarding any existing `path` component. For example: If the SSE endpoint is `https://api.example.com/v1/sse`, then: