[PR #21296] [CLOSED] fix: correct MCP OAuth authorization server metadata discovery URL #26014

New Issue

GiteaMirror · 2026-04-20T06:16:04-05:00

GiteaMirror commented

2026-04-20 06:16:04 -05:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/21296
Author: @thoov
Created: 2/10/2026
Status: ❌ Closed

Base: main ← Head: fix/mcp-oauth-discovery-url-construction

📝 Commits (1)

8a71bf0 fix: correct MCP OAuth authorization server metadata discovery URL construction

📊 Changes

2 files changed (+27 additions, -3 deletions)

View changed files

📝 backend/open_webui/routers/configs.py (+1 -1)
📝 backend/open_webui/utils/oauth.py (+26 -2)

📄 Description

Summary

Fix authorization server metadata URL construction in get_authorization_server_discovery_urls() to comply with RFC 8414 §3 — the /.well-known/ segment is now inserted between the host and the path instead of appended to the end of the issuer URL
Fix missing await on async get_discovery_urls() call in the verify endpoint, which caused a TypeError when iterating over the unawaited coroutine

Test plan

Verify that an MCP server with an authorization server like https://foo.com/oauth produces discovery URL https://foo.com/.well-known/oauth-authorization-server/oauth (not https://foo.com/oauth/.well-known/oauth-authorization-server)
Verify that an MCP server with a pathless authorization server like https://example.com still produces https://example.com/.well-known/oauth-authorization-server
Verify the OAuth 2.1 verification endpoint (/tool_servers/verify) completes without TypeError

contributor license agreement

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/21296 **Author:** [@thoov](https://github.com/thoov) **Created:** 2/10/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix/mcp-oauth-discovery-url-construction` --- ### 📝 Commits (1) - [`8a71bf0`](https://github.com/open-webui/open-webui/commit/8a71bf0098859fcaedde1c33c96b7ea879c55cc2) fix: correct MCP OAuth authorization server metadata discovery URL construction ### 📊 Changes **2 files changed** (+27 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/routers/configs.py` (+1 -1) 📝 `backend/open_webui/utils/oauth.py` (+26 -2) </details> ### 📄 Description ## Summary - Fix authorization server metadata URL construction in `get_authorization_server_discovery_urls()` to comply with RFC 8414 §3 — the `/.well-known/` segment is now inserted between the host and the path instead of appended to the end of the issuer URL - Fix missing `await` on async `get_discovery_urls()` call in the verify endpoint, which caused a `TypeError` when iterating over the unawaited coroutine ## Test plan - [ ] Verify that an MCP server with an authorization server like `https://foo.com/oauth` produces discovery URL `https://foo.com/.well-known/oauth-authorization-server/oauth` (not `https://foo.com/oauth/.well-known/oauth-authorization-server`) - [ ] Verify that an MCP server with a pathless authorization server like `https://example.com` still produces `https://example.com/.well-known/oauth-authorization-server` - [ ] Verify the OAuth 2.1 verification endpoint (`/tool_servers/verify`) completes without `TypeError` contributor license agreement --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-20 06:16:04 -05:00

GiteaMirror closed this issue

2026-04-20 06:16:05 -05:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#26014