Skip to content

fix: rename routePrefix to issuerPath and add issuer-mismatch scenario#203

Open
pcarleton wants to merge 1 commit intomainfrom
paulc/fix-issuer-path-derivation
Open

fix: rename routePrefix to issuerPath and add issuer-mismatch scenario#203
pcarleton wants to merge 1 commit intomainfrom
paulc/fix-issuer-path-derivation

Conversation

@pcarleton
Copy link
Copy Markdown
Member

@pcarleton pcarleton commented Mar 30, 2026
edited
Loading

The previous fix (#152) used routePrefix for the issuer path, conflating two concepts: (1) where OAuth endpoints are mounted and (2) the issuer path component per RFC 8414. This worked for metadata-var2/var3 where both were /tenant1, but broke auth/2025-03-26-oauth-metadata-backcompat where routePrefix was /oauth (endpoint namespacing) but the issuer should be root.

Changes:

  • Rename routePrefix -> issuerPath in createAuthServer. Endpoints are mounted under the issuer path (the real-world multi-tenant model).
  • Drop the /oauth prefix from march-spec-backcompat entirely. No route collision exists with createServer, and test integrity against fallback-bypass is already guaranteed by expectedSlugs requiring authorization-server-metadata.
  • Rename authRoutePrefix -> authIssuerPath in discovery-metadata config.
  • Add issuerOverride option to createAuthServer for negative testing.
  • Add auth/issuer-mismatch scenario: AS returns a mismatched issuer (https://evil.example.com) and the client is expected to reject per RFC 8414 section 3.3. Skipped in CI for now as the TS SDK reference client does not yet validate issuer.

Fixes #140

@pcarleton
fix: rename routePrefix to issuerPath and add issuer-mismatch scenario
9258b0a 
The previous fix (#152) used routePrefix for the issuer path, conflating
two concepts: (1) where OAuth endpoints are mounted and (2) the issuer
path component per RFC 8414. This worked for metadata-var2/var3 where
both were /tenant1, but broke auth/2025-03-26-oauth-metadata-backcompat
where routePrefix was /oauth (endpoint namespacing) but the issuer
should be root.

Changes:
- Rename routePrefix -> issuerPath in createAuthServer. Endpoints are
  mounted under the issuer path (the real-world multi-tenant model).
- Drop the /oauth prefix from march-spec-backcompat entirely. No route
  collision exists with createServer, and test integrity against
  fallback-bypass is already guaranteed by expectedSlugs requiring
  authorization-server-metadata.
- Rename authRoutePrefix -> authIssuerPath in discovery-metadata config.
- Add issuerOverride option to createAuthServer for negative testing.
- Add auth/issuer-mismatch scenario: AS returns a mismatched issuer
  (https://evil.example.com) and the client is expected to reject per
  RFC 8414 section 3.3. Skipped in CI for now as the TS SDK reference
  client does not yet validate issuer.

Fixes #140
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new bot commented Mar 30, 2026

Open in StackBlitz

npx https://pkg.pr.new/@modelcontextprotocol/conformance@203

commit: 9258b0a

@pcarleton
Copy link
Copy Markdown
Member Author

pcarleton commented Mar 30, 2026

@claude review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AS issuer validation failure

1 participant

@pcarleton