Fix oauth well-known paths to retain path and query #756
Conversation
|
Thank you! |
ihrpr
changed the title
src/client/auth.ts
Outdated
| @@ -261,7 +261,10 @@ export async function discoverOAuthProtectedResourceMetadata( | |||
| if (opts?.resourceMetadataUrl) { | |||
| url = new URL(opts?.resourceMetadataUrl); | |||
| } else { | |||
| url = new URL("/.well-known/oauth-protected-resource", serverUrl); | |||
| const issuer = new URL(serverUrl); | |||
| const wellKnownPath = buildWellKnownPath('oauth-protected-resource', issuer.pathname); | |||
There was a problem hiding this comment.
I think we should have a fallback to the non-path-suffixed well-known path, as we do for the AS (see discoverOAuthMetadata), otherwise this will be a breaking change.
RFC9728 does mention the path suffix, but also states "By default, the well-known URI string used is /.well-known/oauth-protected-resource".
There was a problem hiding this comment.
I'm Okay with the breaking changes if it means it's spec compliant. But yeah ""By default, the well-known URI string used is /.well-known/oauth-protected-resource". - this is still compliant, let me add fallback
src/client/auth.ts
Outdated
| @@ -361,8 +364,9 @@ export async function discoverOAuthMetadata( | |||
| const protocolVersion = opts?.protocolVersion ?? LATEST_PROTOCOL_VERSION; | |||
|
|
|||
| // Try path-aware discovery first (RFC 8414 compliant) | |||
| const wellKnownPath = buildWellKnownPath(issuer.pathname); | |||
| const wellKnownPath = buildWellKnownPath('oauth-authorization-server', issuer.pathname); | |||
There was a problem hiding this comment.
maybe this whole block w/ try suffix else fallback could be factored out / reused for both cases
|
Hey @ihrpr For the case where This line here is making the fallback attempt on the issuer URL when it should be done on the typescript-sdk/src/client/auth.ts Line 573 in 16ea277 Might be related to this issue: #744 |
Background #733