Skip to content

Continue OAuth discovery on non-JSON metadata responses#2171

Open
FU-max-boop wants to merge 1 commit into
modelcontextprotocol:mainfrom
FU-max-boop:fix/oauth-discovery-non-json-fallback
Open

Continue OAuth discovery on non-JSON metadata responses#2171
FU-max-boop wants to merge 1 commit into
modelcontextprotocol:mainfrom
FU-max-boop:fix/oauth-discovery-non-json-fallback

Conversation

@FU-max-boop
Copy link
Copy Markdown

@FU-max-boop FU-max-boop commented May 28, 2026

Summary

Fixes #2126.

discoverAuthorizationServerMetadata() currently treats any HTTP 200 discovery response as parseable metadata. If the RFC 8414 candidate endpoint returns an HTML/static page, response.json() throws and the SDK never tries the later OIDC discovery URLs.

This catches non-JSON bodies for successful discovery responses and continues to the next OAuth/OIDC metadata candidate, preserving existing behavior for 4xx/502 fallback and non-502 5xx errors.

Tests

  • npx -y pnpm@10.26.1 --filter @modelcontextprotocol/client test -- auth.test.ts
  • npx -y pnpm@10.26.1 --filter @modelcontextprotocol/client lint
  • npx -y pnpm@10.26.1 --filter @modelcontextprotocol/client typecheck
  • npx -y pnpm@10.26.1 --filter @modelcontextprotocol/client build
  • npx -y pnpm@10.26.1 run sync:snippets --check

@FU-max-boop FU-max-boop requested a review from a team as a code owner May 28, 2026 20:39
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 28, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 3678ce5

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@modelcontextprotocol/client Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 28, 2026
edited
Loading

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@2171

@modelcontextprotocol/codemod

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/codemod@2171

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@2171

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@2171

@modelcontextprotocol/fastify

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/fastify@2171

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@2171

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@2171

commit: 3678ce5

@FU-max-boop FU-max-boop force-pushed the fix/oauth-discovery-non-json-fallback branch from dc32a08 to fe542d6 Compare May 28, 2026 20:46
@FU-max-boop FU-max-boop force-pushed the fix/oauth-discovery-non-json-fallback branch from fe542d6 to 3678ce5 Compare May 28, 2026 23:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuth AS metadata discovery crashes on 200 OK + non-JSON response instead of falling back to OIDC

1 participant

@FU-max-boop