RemoteAuthProvider OAuth Discovery Endpoint Points to Root Instead of MCP Endpoint

[nick-youngblut]

Description

Issue Description

When using RemoteAuthProvider with FastMCP, the OAuth protected resource metadata endpoint (/.well-known/oauth-protected-resource) always returns the base server URL as the resource field, rather than the actual MCP endpoint URL (/mcp/). This causes OAuth clients (like Claude Desktop) to attempt authentication and subsequent MCP requests to the wrong endpoint, resulting in 404 errors.

Expected Behavior

The OAuth discovery endpoint should return the MCP endpoint URL in the resource field so that OAuth clients know where to send authenticated MCP requests.

Expected Response:

{
  "resource": "https://my-server.com/mcp/",
  "authorization_servers": ["https://accounts.google.com"],
  "scopes_supported": [],
  "bearer_methods_supported": ["header"]
}

Actual Behavior

The OAuth discovery endpoint always returns the base server URL, regardless of the resource_server_url parameter.

Actual Response:

{
  "resource": "https://my-server.com/",
  "authorization_servers": ["https://accounts.google.com"],
  "scopes_supported": [],
  "bearer_methods_supported": ["header"]
}

Reproduction Steps

1. Create a FastMCP server with RemoteAuthProvider:

from fastmcp import FastMCP
from fastmcp.server.auth import RemoteAuthProvider
from fastmcp.server.auth.providers.jwt import JWTVerifier
from pydantic import AnyHttpUrl
import os

# Configure token verification
token_verifier = JWTVerifier(
    jwks_uri="https://www.googleapis.com/oauth2/v3/certs",
    issuer="https://accounts.google.com",
    audience="your-google-client-id"
)

# Create RemoteAuthProvider with full MCP endpoint URL
auth = RemoteAuthProvider(
    token_verifier=token_verifier,
    authorization_servers=[AnyHttpUrl("https://accounts.google.com")],
    resource_server_url="https://my-server.com/mcp/"  # Note: includes /mcp/ path
)

mcp = FastMCP(name="Test Server", auth=auth)

@mcp.tool
def test_tool() -> str:
    return "Hello"

if __name__ == "__main__":
    mcp.run()

2. Deploy the server and test the OAuth discovery endpoint:

curl https://my-server.com/.well-known/oauth-protected-resource

3. Observe that the resource field points to https://my-server.com/ instead of https://my-server.com/mcp/

Environment

• FastMCP Version: 2.11.1
• Python Version: 3.11
• Deployment: Google Cloud Run (HTTP transport)
• OAuth Provider: Google OAuth

Impact

This prevents OAuth-enabled MCP servers from working with OAuth clients like Claude Desktop, as the clients receive incorrect endpoint information during discovery and subsequently make requests to the wrong URL.

Workaround Attempts

I tried several approaches to override the OAuth discovery endpoint, but none were successful:

1. Custom subclass with customize_auth_routes:

class CustomRemoteAuthProvider(RemoteAuthProvider):
    def customize_auth_routes(self, app):
        super().customize_auth_routes(app)
        
        @app.get("/.well-known/oauth-protected-resource")
        async def custom_protected_resource_metadata():
            return {
                "resource": "https://my-server.com/mcp/",
                "authorization_servers": ["https://accounts.google.com"],
                "scopes_supported": [],
                "bearer_methods_supported": ["header"]
            }

2. Direct FastAPI route override:

@mcp.http_app().get("/.well-known/oauth-protected-resource")  # This fails
async def custom_oauth_protected_resource():
    return {"resource": "https://my-server.com/mcp/", ...}

Both approaches either failed to execute or were ignored by the existing route.

Proposed Solutions

1. Fix the resource_server_url parameter: Make RemoteAuthProvider respect the full URL path provided in resource_server_url, including /mcp/ or other paths.

2. Add configuration option: Provide a separate parameter like mcp_endpoint_url to explicitly specify the MCP endpoint URL for OAuth discovery.

3. Provide override method: Add a documented way to override the OAuth discovery endpoints, such as a working customize_auth_routes method or similar.

Additional Context

According to the [MCP OAuth specification](https://spec.modelcontextprotocol.io/specification/server/authentication/#oauth-20-authentication), the resource field in the protected resource metadata should point to the actual protected resource (the MCP endpoint), not just the server's base URL.

The server logs show that FastMCP correctly serves the MCP endpoint at /mcp/, but the OAuth discovery points clients to /, causing a mismatch:

INFO: Starting MCP server on http://0.0.0.0:8080/mcp/
...
WARNING: GET / HTTP/1.1" 404 Not Found  # OAuth client trying wrong endpoint
INFO: GET /.well-known/oauth-protected-resource HTTP/1.1" 200 OK  # Discovery works

Example Code

See above

Version Information

FastMCP version:                                                                  2.11.1.dev4+ec52e74
MCP version:                                                                                   1.12.3
Python version:                                                                               3.10.17
Platform:                                                                  macOS-15.5-arm64-arm-64bit
FastMCP root path: /Users/nickyoungblut/dev/python/arc-example-mcp/.venv/lib/python3.10/site-packages

Additional Context

No response

[jlowin]

Thanks for identifying this issue!

[jlowin]

I'm unable to replicate this on main using your code (except changing mcp.run() to have transport="http" and a port). I have:

# server.py
from pydantic import AnyHttpUrl

from fastmcp import FastMCP
from fastmcp.server.auth import RemoteAuthProvider
from fastmcp.server.auth.providers.jwt import JWTVerifier

# Configure token verification
token_verifier = JWTVerifier(
    jwks_uri="https://www.googleapis.com/oauth2/v3/certs",
    issuer="https://accounts.google.com",
    audience="your-google-client-id",
)

# Create RemoteAuthProvider with full MCP endpoint URL
auth = RemoteAuthProvider(
    token_verifier=token_verifier,
    authorization_servers=[AnyHttpUrl("https://accounts.google.com")],
    resource_server_url="https://my-server.com/mcp/",  # Note: includes /mcp/ path
)

mcp = FastMCP(name="Test Server", auth=auth)


@mcp.tool
def test_tool() -> str:
    return "Hello"


if __name__ == "__main__":
    mcp.run(transport="http", port=8080)

Then I run:

python server.py

And finally:

curl http://localhost:8080/.well-known/oauth-protected-resource

Which has the expected payload

{"resource":"https://my-server.com/mcp/","authorization_servers":["https://accounts.google.com/"],"scopes_supported":[],"bearer_methods_supported":["header"]}

Note the inclusion of /mcp/ in the resource.

[nick-youngblut]

Thanks for the quick response and for clarifying the expected behavior! You're right that the resource_server_url should be the base URL, and I appreciate the explanation about the OAuth discovery flow.

However, I'm still running into challenges when deploying to Google Cloud Run with Claude Desktop as the OAuth client. Even with the OAuth discovery now working correctly (returning the right /mcp/ endpoint), Claude Desktop is failing during the authentication flow.

Additional Missing OAuth Endpoints

When I monitor the Cloud Run logs, I see Claude Desktop is looking for additional OAuth endpoints that aren't provided by RemoteAuthProvider:

GET /.well-known/oauth-authorization-server HTTP/1.1" 404 Not Found
POST /register HTTP/1.1" 404 Not Found

A subset of the GCP Cloud Run logs:

WARNING 2025-08-03T14:55:51.945806Z [httpRequest.requestMethod: GET] [httpRequest.status: 404] [httpRequest.responseSize: 117 B] [httpRequest.latency: 2 ms] [httpRequest.userAgent: Claude-User] https://MY-CUSTOM-MCP.run.app/
DEFAULT 2025-08-03T14:55:51.949421Z INFO: 169.254.169.126:38262 - "GET / HTTP/1.1" 404 Not Found
WARNING 2025-08-03T14:56:01.036215Z [httpRequest.requestMethod: HEAD] [httpRequest.status: 404] [httpRequest.responseSize: 108 B] [httpRequest.latency: 2 ms] [httpRequest.userAgent: python-httpx 0.27.0] https://MY-CUSTOM-MCP.run.app/
DEFAULT 2025-08-03T14:56:01.039597Z INFO: 169.254.169.126:39922 - "HEAD / HTTP/1.1" 404 Not Found
INFO 2025-08-03T14:56:01.382671Z [httpRequest.requestMethod: GET] [httpRequest.status: 200] [httpRequest.responseSize: 324 B] [httpRequest.latency: 2 ms] [httpRequest.userAgent: python-httpx 0.27.0] https://MY-CUSTOM-MCP.run.app/.well-known/oauth-protected-resource
DEFAULT 2025-08-03T14:56:01.387452Z INFO: 169.254.169.126:39938 - "GET /.well-known/oauth-protected-resource HTTP/1.1" 200 OK
WARNING 2025-08-03T14:56:01.722052Z [httpRequest.requestMethod: GET] [httpRequest.status: 404] [httpRequest.responseSize: 117 B] [httpRequest.latency: 2 ms] [httpRequest.userAgent: python-httpx 0.27.0] https://MY-CUSTOM-MCP.run.app/.well-known/oauth-authorization-server
DEFAULT 2025-08-03T14:56:01.725542Z INFO: 169.254.169.126:39940 - "GET /.well-known/oauth-authorization-server HTTP/1.1" 404 Not Found
WARNING 2025-08-03T14:56:02.120598Z [httpRequest.requestMethod: GET] [httpRequest.status: 404] [httpRequest.responseSize: 117 B] [httpRequest.latency: 2 ms] [httpRequest.userAgent: python-httpx 0.27.0] https://MY-CUSTOM-MCP.run.app/.well-known/oauth-authorization-server
DEFAULT 2025-08-03T14:56:02.123581Z INFO: 169.254.169.126:39946 - "GET /.well-known/oauth-authorization-server HTTP/1.1" 404 Not Found
WARNING 2025-08-03T14:56:02.456059Z [httpRequest.requestMethod: POST] [httpRequest.status: 404] [httpRequest.responseSize: 117 B] [httpRequest.latency: 2 ms] [httpRequest.userAgent: python-httpx 0.27.0] https://MY-CUSTOM-MCP.run.app/register
DEFAULT 2025-08-03T14:56:02.459159Z INFO: 169.254.169.126:39958 - "POST /register HTTP/1.1" 404 Not Found
WARNING 2025-08-03T14:56:05.594402Z [httpRequest.requestMethod: POST] [httpRequest.status: 404] [httpRequest.responseSize: 117 B] [httpRequest.latency: 2 ms] [httpRequest.userAgent: Claude-User] https://MY-CUSTOM-MCP.run.app/
DEFAULT 2025-08-03T14:56:05.597854Z INFO: 169.254.169.126:39968 - "POST / HTTP/1.1" 404 Not Found
WARNING 2025-08-03T14:56:05.688872Z [httpRequest.requestMethod: GET] [httpRequest.status: 404] [httpRequest.responseSize: 117 B] [httpRequest.latency: 2 ms] [httpRequest.userAgent: Claude-User] https://MY-CUSTOM-MCP.run.app/
DEFAULT 2025-08-03T14:56:05.692571Z INFO: 169.254.169.126:39974 - "GET / HTTP/1.1" 404 Not Found
WARNING 2025-08-03T14:56:31.377728Z [httpRequest.requestMethod: POST] [httpRequest.status: 404] [httpRequest.responseSize: 117 B] [httpRequest.latency: 2 ms] [httpRequest.userAgent: Claude-User] https://MY-CUSTOM-MCP.run.app/
DEFAULT 2025-08-03T14:56:31.381472Z INFO: 169.254.169.126:12188 - "POST / HTTP/1.1" 404 Not Found
WARNING 2025-08-03T14:56:31.719122Z [httpRequest.requestMethod: GET] [httpRequest.status: 404] [httpRequest.responseSize: 117 B] [httpRequest.latency: 2 ms] [httpRequest.userAgent: Claude-User] https://MY-CUSTOM-MCP.run.app/
DEFAULT 2025-08-03T14:56:31.722315Z INFO: 169.254.169.126:12200 - "GET / HTTP/1.1" 404 Not Found
INFO 2025-08-03T14:56:32.545700Z [httpRequest.requestMethod: GET] [httpRequest.status: 200] [httpRequest.responseSize: 324 B] [httpRequest.latency: 3 ms] [httpRequest.userAgent: curl 8.7.1] https://MY-CUSTOM-MCP.run.app/.well-known/oauth-protected-resource
DEFAULT 2025-08-03T14:56:32.549968Z INFO: 169.254.169.126:12202 - "GET /.well-known/oauth-protected-resource HTTP/1.1" 200 OK
WARNING 2025-08-03T14:56:39.203454Z [httpRequest.requestMethod: HEAD] [httpRequest.status: 404] [httpRequest.responseSize: 108 B] [httpRequest.latency: 2 ms] [httpRequest.userAgent: python-httpx 0.27.0] https://MY-CUSTOM-MCP.run.app/
DEFAULT 2025-08-03T14:56:39.206820Z INFO: 169.254.169.126:38442 - "HEAD / HTTP/1.1" 404 Not Found
INFO 2025-08-03T14:56:39.560052Z [httpRequest.requestMethod: GET] [httpRequest.status: 200] [httpRequest.responseSize: 324 B] [httpRequest.latency: 2 ms] [httpRequest.userAgent: python-httpx 0.27.0] https://MY-CUSTOM-MCP.run.app/.well-known/oauth-protected-resource
DEFAULT 2025-08-03T14:56:39.563556Z INFO: 169.254.169.126:38456 - "GET /.well-known/oauth-protected-resource HTTP/1.1" 200 OK
WARNING 2025-08-03T14:56:39.904572Z [httpRequest.requestMethod: GET] [httpRequest.status: 404] [httpRequest.responseSize: 117 B] [httpRequest.latency: 2 ms] [httpRequest.userAgent: python-httpx 0.27.0] https://MY-CUSTOM-MCP.run.app/.well-known/oauth-authorization-server
DEFAULT 2025-08-03T14:56:39.908199Z INFO: 169.254.169.126:38460 - "GET /.well-known/oauth-authorization-server HTTP/1.1" 404 Not Found
WARNING 2025-08-03T14:56:40.031229Z [httpRequest.requestMethod: GET] [httpRequest.status: 404] [httpRequest.responseSize: 117 B] [httpRequest.latency: 2 ms] [httpRequest.userAgent: python-httpx 0.27.0] https://MY-CUSTOM-MCP.run.app/.well-known/oauth-authorization-server
DEFAULT 2025-08-03T14:56:40.034462Z INFO: 169.254.169.126:38464 - "GET /.well-known/oauth-authorization-server HTTP/1.1" 404 Not Found
WARNING 2025-08-03T14:56:40.367826Z [httpRequest.requestMethod: POST] [httpRequest.status: 404] [httpRequest.responseSize: 117 B] [httpRequest.latency: 2 ms] [httpRequest.userAgent: python-httpx 0.27.0] https://MY-CUSTOM-MCP.run.app/register
DEFAULT 2025-08-03T14:56:40.371794Z INFO: 169.254.169.126:38476 - "POST /register HTTP/1.1" 404 Not Found
WARNING 2025-08-03T14:56:44.029370Z [httpRequest.requestMethod: POST] [httpRequest.status: 404] [httpRequest.responseSize: 117 B] [httpRequest.latency: 1 ms] [httpRequest.userAgent: Claude-User] https://MY-CUSTOM-MCP.run.app/
DEFAULT 2025-08-03T14:56:44.032780Z INFO: 169.254.169.126:38492 - "POST / HTTP/1.1" 404 Not Found
WARNING 2025-08-03T14:56:44.376450Z [httpRequest.requestMethod: GET] [httpRequest.status: 404] [httpRequest.responseSize: 117 B] [httpRequest.latency: 1 ms] [httpRequest.userAgent: Claude-User] https://MY-CUSTOM-MCP.run.app/
DEFAULT 2025-08-03T14:56:44.379485Z INFO: 169.254.169.126:38494 - "GET / HTTP/1.1" 404 Not Found

It appears that Claude Desktop expects a complete OAuth 2.1 server implementation with:

1. Authorization server metadata endpoint (/.well-known/oauth-authorization-server)
2. Dynamic Client Registration endpoint (/register)

Current Workaround attempt

I tried to extend RemoteAuthProvider to add these missing endpoints:

class CompleteRemoteAuthProvider(RemoteAuthProvider):
    def customize_auth_routes(self, app):
        # Add authorization server metadata forwarding
        @app.get("/.well-known/oauth-authorization-server")
        async def authorization_server_metadata():
            # Forward Google's OpenID configuration
            async with httpx.AsyncClient() as client:
                response = await client.get("https://accounts.google.com/.well-known/openid_configuration")
                google_config = response.json()
                return {
                    "issuer": google_config["issuer"],
                    "authorization_endpoint": google_config["authorization_endpoint"],
                    "token_endpoint": google_config["token_endpoint"],
                    "jwks_uri": google_config["jwks_uri"],
                    "response_types_supported": ["code"],
                    "code_challenge_methods_supported": ["S256"],
                    "grant_types_supported": ["authorization_code", "refresh_token"]
                }
        
        @app.post("/register")
        async def client_registration():
            # Google doesn't support DCR, return 501
            raise HTTPException(status_code=501, detail="Dynamic client registration not supported")

...but that did not work. From the GCP Cloud Run logs, it appears that my custom customize_auth_routes method isn't being called. This suggests that FastMCP's RemoteAuthProvider doesn't actually support the customize_auth_routes method, or maybe I'm not calling it properly?

[jlowin]

I think this is one of those places where clients are not in lockstep with the protocol and it's creating a lot of confusion (not just you, seeing this a lot of places right now). The spec expects the oauth-protected-resource payload which is itself supposed to forward to a remote oauth-authorization-server. However, a number of clients including Claude Web seem to look for protected-resource incorrectly and fall back on a local authorization-server discovery. We have an example of how to add an authorization-server route in the AuthKit provider here: https://github.com/jlowin/fastmcp/blob/main/src/fastmcp/server/auth/providers/workos.py#L123-L149

Note that on main the customize_auth_routes() method (which is in 2.11.0) has become get_routes() which may be part of the trouble!

[jlowin]

I am working on some related issues (at least in terms of discovery problems with a variety of third party clients) that may ultimately intersect this

[jlowin]

Although if you are trying to use customize_auth_routes() in 2.11.0 note that you aren't calling it with the correct signature, I'm not sure where that app argument is coming from: https://github.com/jlowin/fastmcp/blob/v2.11.0/src/fastmcp/server/auth/auth.py#L51

[nick-youngblut]

Thanks! I tried the following:

from fastmcp import FastMCP
from fastmcp.server.auth import RemoteAuthProvider
from fastmcp.server.auth.providers.jwt import JWTVerifier
from pydantic import AnyHttpUrl
import os
import logging
from dotenv import load_dotenv
import httpx
from fastapi import HTTPException
from fastapi.responses import JSONResponse
from starlette.routing import Route

# Enable debug logging
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger(__name__)

load_dotenv()

# Get configuration from environment variables
GOOGLE_CLIENT_ID = os.getenv("GOOGLE_CLIENT_ID")
RESOURCE_SERVER_URL = os.getenv("RESOURCE_SERVER_URL")

if not GOOGLE_CLIENT_ID:
    raise ValueError("GOOGLE_CLIENT_ID environment variable is required")
if not RESOURCE_SERVER_URL:
    raise ValueError("RESOURCE_SERVER_URL environment variable is required")

# Configure token validation
token_verifier = JWTVerifier(
    jwks_uri="https://www.googleapis.com/oauth2/v3/certs",
    issuer="https://accounts.google.com",
    audience=GOOGLE_CLIENT_ID
)

# Custom RemoteAuthProvider that adds missing OAuth endpoints using get_routes()
class CompleteRemoteAuthProvider(RemoteAuthProvider):
    def __init__(self, token_verifier, authorization_servers, resource_server_url):
        super().__init__(
            token_verifier=token_verifier,
            authorization_servers=authorization_servers,
            resource_server_url=resource_server_url
        )

    def get_routes(self) -> list[Route]:
        """Get OAuth routes including Google OAuth authorization server metadata forwarding."""
        # Get the standard protected resource routes from RemoteAuthProvider
        routes = super().get_routes()
        
        async def oauth_authorization_server_metadata(request):
            """Forward Google OAuth authorization server metadata."""
            logger.info("OAuth authorization server metadata requested")
            try:
                async with httpx.AsyncClient() as client:
                    response = await client.get(
                        "https://accounts.google.com/.well-known/openid_configuration"
                    )
                    response.raise_for_status()
                    google_config = response.json()
                    
                    # Transform OpenID Connect config to OAuth 2.0 server metadata
                    metadata = {
                        "issuer": google_config.get("issuer", "https://accounts.google.com"),
                        "authorization_endpoint": google_config.get("authorization_endpoint"),
                        "token_endpoint": google_config.get("token_endpoint"),
                        "jwks_uri": google_config.get("jwks_uri"),
                        "response_types_supported": google_config.get("response_types_supported", ["code"]),
                        "code_challenge_methods_supported": google_config.get("code_challenge_methods_supported", ["S256"]),
                        "grant_types_supported": google_config.get("grant_types_supported", ["authorization_code", "refresh_token"]),
                        "token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"]
                    }
                    
                    logger.info(f"Returning OAuth server metadata: {metadata}")
                    return JSONResponse(metadata)
                    
            except Exception as e:
                logger.error(f"Failed to fetch Google OAuth metadata: {e}")
                return JSONResponse(
                    {
                        "error": "server_error",
                        "error_description": f"Failed to fetch Google OAuth metadata: {e}",
                    },
                    status_code=500,
                )

        async def client_registration(request):
            """Handle dynamic client registration requests."""
            logger.info("Client registration attempted (not supported with Google OAuth)")
            return JSONResponse(
                {
                    "error": "invalid_request",
                    "error_description": "Dynamic client registration not supported. Please use pre-configured Google OAuth client credentials."
                },
                status_code=501,
            )

        # Add Google OAuth authorization server metadata forwarding
        routes.append(
            Route(
                "/.well-known/oauth-authorization-server",
                endpoint=oauth_authorization_server_metadata,
                methods=["GET"],
            )
        )
        
        # Add client registration endpoint (returns 501 for Google OAuth)
        routes.append(
            Route(
                "/register",
                endpoint=client_registration,
                methods=["POST"],
            )
        )
        
        logger.info(f"Added {len(routes)} OAuth routes")
        return routes

# Create the custom auth provider
auth = CompleteRemoteAuthProvider(
    token_verifier=token_verifier,
    authorization_servers=[AnyHttpUrl("https://accounts.google.com")],
    resource_server_url=RESOURCE_SERVER_URL
)

instructions = """
This is an example MCP server with Google OAuth authentication.
"""

# Create FastMCP instance with authentication
mcp = FastMCP(name="Example MCP Server", auth=auth)

@mcp.tool
def add(a: int, b: int) -> int:
    """Adds two integer numbers together.
    
    Args:
        a: First integer
        b: Second integer
        
    Returns:
        Sum of a and b
    """
    logger.info(f"Tool called: add({a}, {b})")
    return a + b

if __name__ == "__main__":
    logger.info("Starting FastMCP server with complete OAuth support...")
    mcp.run()

...but it's still not working with Claude Desktop. The Cloud Run log:

2025-08-03T16:10:48.885550Z
GET500376 B73 mspython-httpx/0.27.0 https://example-mcp-server.run.app/.well-known/oauth-authorization-server
2025-08-03T16:10:48.888708Z
INFO:server_module:OAuth authorization server metadata requested
2025-08-03T16:10:48.955556Z
INFO:httpx:HTTP Request: GET https://accounts.google.com/.well-known/openid_configuration "HTTP/1.1 404 Not Found"
2025-08-03T16:10:48.959089Z
ERROR:server_module:Failed to fetch Google OAuth metadata: Client error '404 Not Found' for url 'https://accounts.google.com/.well-known/openid_configuration'
2025-08-03T16:10:48.959101Z
For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/404
2025-08-03T16:10:48.959329Z
INFO: 169.254.169.126:49040 - "GET /.well-known/oauth-authorization-server HTTP/1.1" 500 Internal Server Error
2025-08-03T16:10:49.292842Z
POST501252 B2 mspython-httpx/0.27.0 https://example-mcp-server.run.app/register
2025-08-03T16:10:49.295943Z
INFO:server_module:Client registration attempted (not supported with Google OAuth)
2025-08-03T16:10:49.296195Z
INFO: 169.254.169.126:49048 - "POST /register HTTP/1.1" 501 Not Implemented
2025-08-03T16:10:52.521518Z
POST404117 B2 msClaude-User https://example-mcp-server.run.app/
2025-08-03T16:10:52.524937Z
INFO: 169.254.169.126:30014 - "POST / HTTP/1.1" 404 Not Found
2025-08-03T16:10:52.862314Z
GET404117 B2 msClaude-User https://example-mcp-server.run.app/
2025-08-03T16:10:52.865671Z
INFO: 169.254.169.126:30016 - "GET / HTTP/1.1" 404 Not Found
2025-08-03T16:11:30.724471Z
INFO: Shutting down
2025-08-03T16:11:30.825903Z
ERROR: Cancel 0 running task(s), timeout graceful shutdown exceeded
2025-08-03T16:11:30.826008Z
INFO: Waiting for application shutdown.
2025-08-03T16:11:30.826079Z
INFO:mcp.server.streamable_http_manager:StreamableHTTP session manager shutting down
2025-08-03T16:11:30.826308Z
INFO: Application shutdown complete.
2025-08-03T16:11:30.826428Z
INFO: Finished server process [1]
2025-08-03T16:11:34.890807Z
POST404117 B2 msClaude-User https://example-mcp-server.run.app/
2025-08-03T16:11:34.899837Z
INFO: 169.254.169.126:31598 - "POST / HTTP/1.1" 404 Not Found
2025-08-03T16:11:34.990854Z
GET404117 B2 msClaude-User https://example-mcp-server.run.app/
2025-08-03T16:11:34.993970Z
INFO: 169.254.169.126:31610 - "GET / HTTP/1.1" 404 Not Found

[dacamposol]

@nick-youngblut There are two issues I noticed immediately:

1. The well-known endpoint for Google’s Identity Provider is incorrect. It should be https://accounts.google.com/.well-known/openid-configuration (with a dash, not an underscore).
2. As far as I know, accounts.google.com does not support Dynamic Client Registration (DCR). This means any attempt will fail, especially since Claude Desktop lacks a fallback for the DCR-disabled case. For reference, GitHub Copilot in VS Code recently added support for supplying client_id and (optionally) client_secret when DCR is not available, but I haven’t seen similar functionality in Claude Desktop.

[nick-youngblut]

Thanks @dacamposol !

For reference, GitHub Copilot in VS Code recently added support for supplying client_id and (optionally) client_secret when DCR is not available, but I haven’t seen similar functionality in Claude Desktop.

So currently there's just no way of making this work with Claude Desktop and accounts.google.com?

[nick-youngblut]

I tried switching to auth0. The relevant portion of my server.py:

# Configure token validation for Auth0
token_verifier = JWTVerifier(
    jwks_uri=f"https://{AUTH0_DOMAIN}/.well-known/jwks.json",
    issuer=f"https://{AUTH0_DOMAIN}/",
    audience=AUTH0_CLIENT_ID
)

# Use the standard RemoteAuthProvider without custom routes
auth = RemoteAuthProvider(
    token_verifier=token_verifier,
    authorization_servers=[AnyHttpUrl(f"https://{AUTH0_DOMAIN}")],
    resource_server_url=RESOURCE_SERVER_URL
)

This does not work with Claude Desktop. It appears that FastMCP's RemoteAuthProvider isn't automatically providing the /.well-known/oauth-authorization-server endpoint, and so and all the OAuth-related endpoints are returning 404.

I've tried extending RemoteAuthProvider, but haven't been able to get it working.

[dacamposol]

This does not work with Claude Desktop. It appears that FastMCP's RemoteAuthProvider isn't automatically providing the /.well-known/oauth-authorization-server endpoint, and so and all the OAuth-related endpoints are returning 404.

I've tried extending RemoteAuthProvider, but haven't been able to get it working.

There are fundamental misconceptions here about the OAuth 2.1 process.

OAuth defines three core actors: Clients, Resource Servers, and Authorization Servers.

In the Model Context Protocol (MCP), MCP Clients serve as the OAuth Clients, MCP Servers act as Resource Servers, and the systems you’re referencing (Google Accounts, Auth0, and similar providers) function as Authorization Servers. These can also act as Identity Providers, but that’s a term from OpenID Connect, not standard OAuth terminology, so let's leave it apart for now.

The Resource Metadata flow is the following:

sequenceDiagram
    participant Client as MCP Client
    participant Server as MCP Server
    participant AS as Authorization Server

    Client->>Server: Resource Request<br>mcp/initialize
    Server-->>Client: 401: Unauthorized<br>WWW-Authenticate: resource-metadata=${MCP-Server}
    Client->>Server: Resource Metadata Request<br>/.well-known/oauth-protected-resource
    Server-->>Client: Resource Metadata Response<br>authorization_servers=[${AS_DOMAIN}]
    Client->>Client: Validate Resource Metadata
    Client->>AS: Authorization Server Metadata Request<br>/.well-known/oauth-authorization-server
    AS-->>Client: Authorization Server Metadata Response<br>authorization_endpoint=${AS_DOMAIN}/authorize<br>token_endpoint=${AS_DOMAIN}/token
    Note over Client,AS: Dynamic Client Registration<br>and/or<br>OAuth Authorization Code Flow
    Client->>Server: Resource Request<br>Authorization: Bearer ${ACCESS_TOKEN}<br>mcp/initialize

Loading

So, while Protected Resource Metadata endpoint must be provided by the Resource Server (your MCP Server), the Authorization Server Metadata endpoint must be provided by the Authorization Server (whichever third-party system you are using).

• OAuth 2.0 Authorization Server Metadata - RFC 8414
• OAuth 2.0 Protected Resource Metadata - RFC 9728

[dacamposol]

Auth0 - Configure Applications with OAuth 2.0 Authorization Server Metadata