Skip to content

fix(workos): serve OAuth AS metadata (CIMD/DCR) instead of OIDC discovery#601

Open
piersonmarks wants to merge 1 commit into
basementstudio:canaryfrom
piersonmarks:fix/workos-as-metadata-cimd-dcr
Open

fix(workos): serve OAuth AS metadata (CIMD/DCR) instead of OIDC discovery#601
piersonmarks wants to merge 1 commit into
basementstudio:canaryfrom
piersonmarks:fix/workos-as-metadata-cimd-dcr

Conversation

@piersonmarks

@piersonmarks piersonmarks commented Jun 25, 2026

Copy link
Copy Markdown

The WorkOS plugin's /.well-known/oauth-authorization-server route mirrors AuthKit's
OpenID Connect discovery document (/.well-known/openid-configuration), which omits
client_id_metadata_document_supported (CIMD), registration_endpoint (DCR) and
code_challenge_methods_supported (PKCE). AuthKit advertises those only at its RFC 8414
OAuth Authorization Server Metadata endpoint. As a result, MCP clients (e.g. ChatGPT)
report CIMD and DCR as unsupported even when they are enabled in the WorkOS dashboard.

This PR:

  • Fetches /.well-known/oauth-authorization-server (RFC 8414) so the advertised
    metadata carries the CIMD/DCR/PKCE fields.
  • Adds a 5s AbortSignal.timeout on the upstream fetch so a slow or stalled AuthKit
    cannot hang the request and pin a slot.
  • Falls back to the existing static metadata on any fetch error instead of returning a
    500, so discovery stays available through transient upstream blips.

Verified against a live AuthKit domain that /.well-known/oauth-authorization-server
contains client_id_metadata_document_supported: true and registration_endpoint
while /.well-known/openid-configuration contains neither.

Optional follow-up (not included to keep the diff tight): the
OAuthAuthorizationServerMetadata type does not declare registration_endpoint or
client_id_metadata_document_supported. It is not required for correctness (the success
path passes the fetched document through verbatim), but adding them as optional fields
would make the type accurately model AuthKit's response.

Tracked as #602.

@vercel

vercel Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

@piersonmarks is attempting to deploy a commit to the xmcp Team on Vercel.

A member of the Team first needs to authorize it.

…very

The /.well-known/oauth-authorization-server route mirrored AuthKit's OpenID
Connect discovery document (/.well-known/openid-configuration), which omits
client_id_metadata_document_supported (CIMD), registration_endpoint (DCR) and
code_challenge_methods_supported (PKCE). AuthKit advertises those only at its
RFC 8414 OAuth Authorization Server Metadata endpoint, so MCP clients (e.g.
ChatGPT) reported CIMD/DCR as unsupported even when enabled in the dashboard.

- Fetch /.well-known/oauth-authorization-server (RFC 8414) so the metadata
  carries the CIMD/DCR/PKCE fields.
- Add a 5s AbortSignal.timeout on the upstream fetch.
- Fall back to the static metadata on any fetch error instead of returning 500.
@piersonmarks piersonmarks force-pushed the fix/workos-as-metadata-cimd-dcr branch from 81c777e to f4f45b5 Compare June 25, 2026 00:20
@0xKoller

Copy link
Copy Markdown
Contributor

Hey @piersonmarks! Thanks for contributing!
Before doing a deeper review, could you upload an example of this fix working? That way I can confirm it’s the proper solution.

@0xKoller

Copy link
Copy Markdown
Contributor

@piersonmarks Hey!

Any updates on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants