SEP-2351: Explicitly specify RFC 8414 well-known URI suffix for MCP — rust-sdk implementation
Spec PR: modelcontextprotocol/modelcontextprotocol#2351
Track: Specification · Stage: accepted · Priority: P0 · Theme: Enterprise Readiness
Needs code changes: Yes (Small)
Summary
States that MCP uses the default oauth-authorization-server well-known URI suffix from RFC 8414
§3.1 and does not define an application-specific suffix. Clarifies metadata discovery URL
construction.
Why this needs code changes in rust-sdk
The client already builds RFC 8414-style candidates in auth.rs (the discovery-candidate
builder around lines 1380–1395 pushes /.well-known/oauth-authorization-server, the path-insertion
variants /.well-known/oauth-authorization-server/{path} and
/.well-known/openid-configuration/{path}, the path-append variant
/{path}/.well-known/openid-configuration, and a canonical OAuth fallback). So this is mostly a
verify-and-tighten task, not a from-scratch build.
Conformance currently reports auth/metadata-var3 FAIL (0/4) — a metadata-discovery edge case.
The most likely culprits given the current code: candidate ordering/priority vs. the spec, the
path-append-only-for-OIDC behavior, or how the canonical fallback interacts with issuers that have
path components.
Proposed work
Affected areas
crates/rmcp/src/transport/auth.rs (the well-known discovery candidate builder; discover_metadata / try_discover_oauth_server).
Notes / risks
- Pairs with SEP-2352 (AS binding/migration) and the
auth/metadata-var3 conformance fix. Bundle with the broader auth cleanup.
SEP-2351: Explicitly specify RFC 8414 well-known URI suffix for MCP — rust-sdk implementation
Spec PR: modelcontextprotocol/modelcontextprotocol#2351
Track: Specification · Stage: accepted · Priority: P0 · Theme: Enterprise Readiness
Needs code changes: Yes (Small)
Summary
States that MCP uses the default
oauth-authorization-serverwell-known URI suffix from RFC 8414§3.1 and does not define an application-specific suffix. Clarifies metadata discovery URL
construction.
Why this needs code changes in rust-sdk
The client already builds RFC 8414-style candidates in
auth.rs(the discovery-candidatebuilder around lines 1380–1395 pushes
/.well-known/oauth-authorization-server, the path-insertionvariants
/.well-known/oauth-authorization-server/{path}and/.well-known/openid-configuration/{path}, the path-append variant/{path}/.well-known/openid-configuration, and a canonical OAuth fallback). So this is mostly averify-and-tighten task, not a from-scratch build.
Conformance currently reports
auth/metadata-var3FAIL (0/4) — a metadata-discovery edge case.The most likely culprits given the current code: candidate ordering/priority vs. the spec, the
path-append-only-for-OIDC behavior, or how the canonical fallback interacts with issuers that have
path components.
Proposed work
push_candidate(..)list (lines ~1383–1394) — the bug is probably ordering or a missing/extra variant, not a missing suffix.oauth-authorization-serversuffix is used (no MCP-specific suffix) — current code already does this; assert it with a test.auth/metadata-var3scenario against the candidate list to find which URL it expects vs. what the client tries first; fix the discrepancy.auth/metadata-var*to green; add unit tests over the candidate builder for issuers with and without path components.Affected areas
crates/rmcp/src/transport/auth.rs(the well-known discovery candidate builder;discover_metadata/try_discover_oauth_server).Notes / risks
auth/metadata-var3conformance fix. Bundle with the broader auth cleanup.