fix(oauth): support path-scoped issuers in RFC 8414 discovery (Keycloak, Cognito)#54
Merged
Merged
Conversation
Keycloak realm URLs (http://keycloak/realms/test) and AWS Cognito user pool URLs are path-scoped issuers where the issuer identity includes the path component. discover_oauth_metadata was stripping the path via _authorization_base_url and only probing /.well-known/oauth-authorization-server at the host root (404 on Keycloak), falling through to dummy default endpoints with no device_authorization_endpoint. RFC 8414 §3 specifies that the well-known URL is constructed by inserting the well-known prefix between the host and path components of the issuer URL (path-insertion), so the correct URL for issuer http://keycloak/realms/test is http://keycloak/.well-known/oauth-authorization-server/realms/test. _build_well_known_url already performs this correctly; the fix adds a third Phase 2 probe using server_url directly when it differs from both the PRM-discovered auth server and the base URL. Validated against Keycloak 26.6.1: --oauth-device now successfully discovers the device_authorization_endpoint and issues a device code instead of failing with "no device_authorization_endpoint in metadata". Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
…tyle Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #53
Problem
Keycloak realm URLs (
http://keycloak/realms/test) and AWS Cognito user pool URLs arepath-scoped issuers where the issuer identity includes the path component.
discover_oauth_metadatawas stripping the path via_authorization_base_urlandonly probing
/.well-known/oauth-authorization-serverat the host root (404 onKeycloak), falling through to dummy default endpoints with no
device_authorization_endpoint.Fix
RFC 8414 §3 specifies that the well-known URL is constructed by inserting the well-known
prefix between the host and path components of the issuer URL.
_build_well_known_urlalready performs this correctly. The fix adds a third Phase 2 probe using
server_urldirectly (path preserved) when it differs from both the PRM-discovered auth server and
the base URL:
Discovery order (unchanged for non-Keycloak servers):
auth_server_url(base, or PRM-discovered)base(fallback when PRM redirected to a different AS that failed)server_url(path-scoped issuer probe)Testing
m2.local):--oauth-devicenow successfully discovers
device_authorization_endpointand issues a device code.test_path_scoped_issuer_keycloak_styleandtest_path_scoped_issuer_does_not_shadow_host_root_matchTest plan
pytest tests/ -v— all 360 tests passmcp-stdio --oauth-device --client-id mcp-stdio-test http://localhost:18080/realms/testissues device code successfully🤖 Generated with Claude Code