From abcf91b4634c21befca147bc4790956c838fbd22 Mon Sep 17 00:00:00 2001
From: Henry Mao <1828968+calclavia@users.noreply.github.com>
Date: Fri, 4 Jul 2025 11:10:07 +0800
Subject: [PATCH 1/4] Fix oauth-protected-resource to also be path aware

---
 src/client/auth.ts | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/client/auth.ts b/src/client/auth.ts
index 71101a42..9aa5dda5 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -261,7 +261,9 @@ export async function discoverOAuthProtectedResourceMetadata(
   if (opts?.resourceMetadataUrl) {
     url = new URL(opts?.resourceMetadataUrl);
   } else {
-    url = new URL("/.well-known/oauth-protected-resource", serverUrl);
+    const issuer = new URL(serverUrl);
+    const wellKnownPath = buildWellKnownPath('oauth-protected-resource', issuer.pathname);
+    url = new URL(wellKnownPath, issuer);
   }
 
   let response: Response;
@@ -318,8 +320,8 @@ async function fetchWithCorsRetry(
 /**
  * Constructs the well-known path for OAuth metadata discovery
  */
-function buildWellKnownPath(pathname: string): string {
-  let wellKnownPath = `/.well-known/oauth-authorization-server${pathname}`;
+function buildWellKnownPath(wellKnownPath: string, pathname: string): string {
+  let wellKnownPath = `/.well-known/${wellKnownPath}${pathname}`;
   if (pathname.endsWith('/')) {
     // Strip trailing slash from pathname to avoid double slashes
     wellKnownPath = wellKnownPath.slice(0, -1);
@@ -361,7 +363,7 @@ export async function discoverOAuthMetadata(
   const protocolVersion = opts?.protocolVersion ?? LATEST_PROTOCOL_VERSION;
 
   // Try path-aware discovery first (RFC 8414 compliant)
-  const wellKnownPath = buildWellKnownPath(issuer.pathname);
+  const wellKnownPath = buildWellKnownPath('oauth-authorization-server', issuer.pathname);
   const pathAwareUrl = new URL(wellKnownPath, issuer);
   let response = await tryMetadataDiscovery(pathAwareUrl, protocolVersion);
 

From c5fcba4617222cd1d1e58ecd318b5cf7346397e7 Mon Sep 17 00:00:00 2001
From: Henry Mao <1828968+calclavia@users.noreply.github.com>
Date: Fri, 4 Jul 2025 11:14:14 +0800
Subject: [PATCH 2/4] Update auth.ts

---
 src/client/auth.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/client/auth.ts b/src/client/auth.ts
index 9aa5dda5..8839ecf0 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -320,8 +320,8 @@ async function fetchWithCorsRetry(
 /**
  * Constructs the well-known path for OAuth metadata discovery
  */
-function buildWellKnownPath(wellKnownPath: string, pathname: string): string {
-  let wellKnownPath = `/.well-known/${wellKnownPath}${pathname}`;
+function buildWellKnownPath(wellKnownPrefix: string, pathname: string): string {
+  let wellKnownPath = `/.well-known/${wellKnownPrefix}${pathname}`;
   if (pathname.endsWith('/')) {
     // Strip trailing slash from pathname to avoid double slashes
     wellKnownPath = wellKnownPath.slice(0, -1);

From 7b02c5cda377c7cd9ebcf827ab368bf96e0534cf Mon Sep 17 00:00:00 2001
From: Henry Mao <1828968+calclavia@users.noreply.github.com>
Date: Mon, 7 Jul 2025 03:56:42 +0800
Subject: [PATCH 3/4] Retain URL search parameter

---
 src/client/auth.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/client/auth.ts b/src/client/auth.ts
index 8839ecf0..495f62a4 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -263,6 +263,7 @@ export async function discoverOAuthProtectedResourceMetadata(
   } else {
     const issuer = new URL(serverUrl);
     const wellKnownPath = buildWellKnownPath('oauth-protected-resource', issuer.pathname);
+    wellKnownPath.search = issuer.search;
     url = new URL(wellKnownPath, issuer);
   }
 
@@ -365,6 +366,7 @@ export async function discoverOAuthMetadata(
   // Try path-aware discovery first (RFC 8414 compliant)
   const wellKnownPath = buildWellKnownPath('oauth-authorization-server', issuer.pathname);
   const pathAwareUrl = new URL(wellKnownPath, issuer);
+  pathAwareUrl.search = issuer.search;
   let response = await tryMetadataDiscovery(pathAwareUrl, protocolVersion);
 
   // If path-aware discovery fails with 404, try fallback to root discovery

From 3bdecfc1b9618cbc9e8f9635a14d46ea0d3925d6 Mon Sep 17 00:00:00 2001
From: Henry Mao <1828968+calclavia@users.noreply.github.com>
Date: Mon, 7 Jul 2025 03:59:06 +0800
Subject: [PATCH 4/4] Update auth.ts

---
 src/client/auth.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/client/auth.ts b/src/client/auth.ts
index 495f62a4..eb3473ad 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -263,8 +263,8 @@ export async function discoverOAuthProtectedResourceMetadata(
   } else {
     const issuer = new URL(serverUrl);
     const wellKnownPath = buildWellKnownPath('oauth-protected-resource', issuer.pathname);
-    wellKnownPath.search = issuer.search;
     url = new URL(wellKnownPath, issuer);
+    url.search = issuer.search;
   }
 
   let response: Response;