Description
Question
Suppose we run multiple MCP servers under https://example.com/mcpServers and one MCP server URL is https://example.com/mcpServers/myAwesomeServer, should the protected resource metadata endpoint be https://example.com/.well-known/oauth-protected-resource/mcpServers/myAwesomeServer?
From this code https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/client/auth.py#L206 seems the protected resource metadata URL is always base URL + "/.well-known/oauth-protected-resource".
async def _discover_protected_resource(self) -> httpx.Request:
"""Build discovery request for protected resource metadata."""
auth_base_url = self.context.get_authorization_base_url(self.context.server_url)
url = urljoin(auth_base_url, "/.well-known/oauth-protected-resource")
return httpx.Request("GET", url, headers={MCP_PROTOCOL_VERSION: LATEST_PROTOCOL_VERSION})
According to https://datatracker.ietf.org/doc/html/rfc9728#name-obtaining-protected-resourc
Protected resources supporting metadata MUST make a JSON document containing metadata as specified in Section 2 available at a URL formed by inserting a well-known URI string into the protected resource's resource identifier between the host component and the path and/or query components, if any. By default, the well-known URI string used is /.well-known/oauth-protected-resource.
So if the resource server URL is https://example.com/mcpServers/myAwesomeServer, the protected resource URL should be https://example.com/.well-known/oauth-protected-resource/mcpServers/myAwesomeServer
Additional Context
No response