Skip to content

Fix OAuth token refresh for servers with root-based discovery (fixes #3)#6

Open
kingsleyzhong wants to merge 1 commit intoapify:mainfrom
kingsleyzhong:fix-oauth-token-refresh-discovery
Open

Fix OAuth token refresh for servers with root-based discovery (fixes #3)#6
kingsleyzhong wants to merge 1 commit intoapify:mainfrom
kingsleyzhong:fix-oauth-token-refresh-discovery

Conversation

@kingsleyzhong
Copy link

@kingsleyzhong kingsleyzhong commented Jan 31, 2026

Problem

The discoverTokenEndpoint() function in oauth-utils.ts only tries path-based OAuth discovery URLs:

  • https://example.com/mcp/.well-known/oauth-authorization-server
  • https://example.com/mcp/.well-known/openid-configuration

However, some servers like Notion host their OAuth metadata at the root:

  • https://mcp.notion.com/.well-known/oauth-authorization-server

This causes token refresh to fail for these servers, even though initial login works (because the MCP SDK's discoverAuthorizationServerMetadata() tries both path-based and root-based discovery).

Solution

Add root-based fallback URLs to discoverTokenEndpoint(), matching the behavior of the MCP SDK:

const serverUrlObj = new URL(serverUrl);
const base = \`\${serverUrlObj.protocol}//\${serverUrlObj.host}\`;
if (serverUrl !== base && serverUrl !== \`\${base}/\`) {
  discoveryUrls.push(
    \`\${base}/.well-known/oauth-authorization-server\`,
    \`\${base}/.well-known/openid-configuration\`,
  );
}

Testing

  • All unit tests pass (335/335)
  • Manual verification: discoverTokenEndpoint('https://mcp.notion.com/mcp') now correctly returns https://mcp.notion.com/token

Fixes #3

@kingsleyzhong
Fix OAuth token refresh for servers with root-based discovery
5729029 
Fixes apify#3

The discoverTokenEndpoint() function only tried path-based OAuth discovery
URLs (e.g., https://mcp.notion.com/mcp/.well-known/oauth-authorization-server),
but some servers like Notion host their OAuth metadata at the root
(e.g., https://mcp.notion.com/.well-known/oauth-authorization-server).

Initial login worked because discoverAuthorizationServerMetadata() in the MCP
SDK tries both path-based and root-based discovery. However, token refresh
failed because discoverTokenEndpoint() only tried path-based URLs.

This fix adds root-based fallback URLs to discoverTokenEndpoint(), matching
the behavior of the MCP SDK's discovery function.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuth token refresh fails for MCP servers with non-root OAuth discovery endpoints (e.g., Notion)

1 participant

@kingsleyzhong