From 7649dcbb68449f5403626a5779fbe72893053d70 Mon Sep 17 00:00:00 2001 From: waltmayf <126521508+waltmayf@users.noreply.github.com> Date: Tue, 3 Feb 2026 11:10:05 -0600 Subject: [PATCH 1/3] Fix resource metadata URL extraction for OAuth Fixes the extraction of resource metadata URL during OAuth connection to prevent 'Invalid api path' errors. Ensures the SDK correctly handles 401 responses to discover token endpoints for OAuth flows using separate authorization servers. --- .changeset/fix-resource-metadata-extraction.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .changeset/fix-resource-metadata-extraction.md diff --git a/.changeset/fix-resource-metadata-extraction.md b/.changeset/fix-resource-metadata-extraction.md new file mode 100644 index 000000000..6b47d0611 --- /dev/null +++ b/.changeset/fix-resource-metadata-extraction.md @@ -0,0 +1,11 @@ +--- +'@modelcontextprotocol/client': patch +--- + +Fix resource metadata URL extraction during initial OAuth connection + +Previously, when connecting to MCP servers using OAuth with separate authorization servers (like AWS Cognito, Auth0, Okta), the SDK would fail during token exchange with an "Invalid api path" error. This was because the `resourceMetadataUrl` from the WWW-Authenticate header was not being extracted during the initial connection attempt. + +The fix ensures that both `StreamableHTTPClientTransport` and `SSEClientTransport` extract the resource metadata URL and scope from the WWW-Authenticate header when receiving a 401 response during the initial connection. This allows `finishAuth()` to correctly discover the authorization server's token endpoint. + +This resolves issues with OAuth flows that use RFC 9728 Protected Resource Metadata and separate authorization servers. From 3bb74a0636aaa8bb282b9f6ba09350e2ffa1debc Mon Sep 17 00:00:00 2001 From: waltmayf <126521508+waltmayf@users.noreply.github.com> Date: Tue, 3 Feb 2026 11:11:27 -0600 Subject: [PATCH 2/3] Handle 401 response by extracting auth parameters Extract resource metadata URL and scope from WWW-Authenticate header on 401 response. --- packages/client/src/client/streamableHttp.ts | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/packages/client/src/client/streamableHttp.ts b/packages/client/src/client/streamableHttp.ts index 22cd417bd..0384b0dab 100644 --- a/packages/client/src/client/streamableHttp.ts +++ b/packages/client/src/client/streamableHttp.ts @@ -231,6 +231,11 @@ export class StreamableHTTPClientTransport implements Transport { await response.text?.().catch(() => {}); if (response.status === 401 && this._authProvider) { + // Extract resource metadata URL from WWW-Authenticate header before starting auth flow + const { resourceMetadataUrl, scope } = extractWWWAuthenticateParams(response); + this._resourceMetadataUrl = resourceMetadataUrl; + this._scope = scope; + // Need to authenticate return await this._authThenStart(); } From 261fe7468669adfbce8b2fd3a909d099f1e6b807 Mon Sep 17 00:00:00 2001 From: waltmayf <126521508+waltmayf@users.noreply.github.com> Date: Tue, 3 Feb 2026 14:11:51 -0600 Subject: [PATCH 3/3] Remove unnecessary blank line in streamableHttp.ts --- packages/client/src/client/streamableHttp.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/client/src/client/streamableHttp.ts b/packages/client/src/client/streamableHttp.ts index 0384b0dab..f335dd83d 100644 --- a/packages/client/src/client/streamableHttp.ts +++ b/packages/client/src/client/streamableHttp.ts @@ -235,7 +235,7 @@ export class StreamableHTTPClientTransport implements Transport { const { resourceMetadataUrl, scope } = extractWWWAuthenticateParams(response); this._resourceMetadataUrl = resourceMetadataUrl; this._scope = scope; - + // Need to authenticate return await this._authThenStart(); }