fix(workos): serve OAuth AS metadata (CIMD/DCR) instead of OIDC discovery#601
Open
piersonmarks wants to merge 1 commit into
Open
fix(workos): serve OAuth AS metadata (CIMD/DCR) instead of OIDC discovery#601piersonmarks wants to merge 1 commit into
piersonmarks wants to merge 1 commit into
Conversation
Contributor
|
@piersonmarks is attempting to deploy a commit to the xmcp Team on Vercel. A member of the Team first needs to authorize it. |
…very The /.well-known/oauth-authorization-server route mirrored AuthKit's OpenID Connect discovery document (/.well-known/openid-configuration), which omits client_id_metadata_document_supported (CIMD), registration_endpoint (DCR) and code_challenge_methods_supported (PKCE). AuthKit advertises those only at its RFC 8414 OAuth Authorization Server Metadata endpoint, so MCP clients (e.g. ChatGPT) reported CIMD/DCR as unsupported even when enabled in the dashboard. - Fetch /.well-known/oauth-authorization-server (RFC 8414) so the metadata carries the CIMD/DCR/PKCE fields. - Add a 5s AbortSignal.timeout on the upstream fetch. - Fall back to the static metadata on any fetch error instead of returning 500.
81c777e to
f4f45b5
Compare
Contributor
|
Hey @piersonmarks! Thanks for contributing! |
Contributor
|
@piersonmarks Hey! Any updates on this? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The WorkOS plugin's
/.well-known/oauth-authorization-serverroute mirrors AuthKit'sOpenID Connect discovery document (
/.well-known/openid-configuration), which omitsclient_id_metadata_document_supported(CIMD),registration_endpoint(DCR) andcode_challenge_methods_supported(PKCE). AuthKit advertises those only at its RFC 8414OAuth Authorization Server Metadata endpoint. As a result, MCP clients (e.g. ChatGPT)
report CIMD and DCR as unsupported even when they are enabled in the WorkOS dashboard.
This PR:
/.well-known/oauth-authorization-server(RFC 8414) so the advertisedmetadata carries the CIMD/DCR/PKCE fields.
AbortSignal.timeouton the upstream fetch so a slow or stalled AuthKitcannot hang the request and pin a slot.
500, so discovery stays available through transient upstream blips.
Verified against a live AuthKit domain that
/.well-known/oauth-authorization-servercontains
client_id_metadata_document_supported: trueandregistration_endpointwhile
/.well-known/openid-configurationcontains neither.Optional follow-up (not included to keep the diff tight): the
OAuthAuthorizationServerMetadatatype does not declareregistration_endpointorclient_id_metadata_document_supported. It is not required for correctness (the successpath passes the fetched document through verbatim), but adding them as optional fields
would make the type accurately model AuthKit's response.
Tracked as #602.