fix: use discoverOAuthFromWWWAuthenticate for reactive OAuth flow (#18760)

[maximus12793]

Summary

• Fix handleAutomaticOAuth() passing a resource_metadata URI (already a .well-known URL) to discoverOAuthConfig(), which expects a server URL — causing double-nested .well-known paths (404) and ResourceMismatchError for path-based MCP servers
• Switch to the existing discoverOAuthFromWWWAuthenticate() utility which correctly fetches the resource metadata URI directly and validates against the actual server URL
• Use extractBaseUrl() in the fallback path instead of inline URL construction

Root Cause

discoverOAuthConfig(resourceMetadataUri) constructs .well-known discovery paths from its input. When the input is already a .well-known URL parsed from the WWW-Authenticate header, this produces double-nested paths that 404. The fallback then throws ResourceMismatchError.

Fix

Use discoverOAuthFromWWWAuthenticate() (already exists in oauth-utils.ts) which directly fetches the resource_metadata URI and validates against the actual server URL (RFC 9728 §7.3). Fallback to base URL discovery is preserved.

Test plan

• Existing unit tests pass (93/93)
• TypeScript typecheck clean
• ESLint + Prettier pass
• Manual test with a path-based OAuth MCP server

Fixes #18760
Supersedes #18798 (stalled on CLA)

[gemini-code-assist]

Summary of Changes

Hello @maximus12793, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refines the OAuth authentication flow for MCP servers by addressing a critical issue where the discovery process could fail due to incorrect handling of resource_metadata URIs. By switching to an existing utility function and standardizing base URL extraction, the changes ensure robust and reliable OAuth configuration discovery, particularly for path-based servers.

Highlights

• OAuth Discovery Logic Refinement: The handleAutomaticOAuth function now correctly utilizes discoverOAuthFromWWWAuthenticate to prevent issues with double-nested .well-known paths and ResourceMismatchError when processing WWW-Authenticate headers.
• Fallback URL Construction: The fallback mechanism for OAuth discovery has been updated to use OAuthUtils.extractBaseUrl() for constructing the base URL, ensuring consistent and correct URL handling.

Changelog

• packages/core/src/tools/mcp-client.ts
  • Refactored OAuth discovery logic in handleAutomaticOAuth to use discoverOAuthFromWWWAuthenticate.
  • Updated the fallback path for OAuth discovery to use OAuthUtils.extractBaseUrl.
  • Removed a redundant serverUrl declaration.

Activity

• Existing unit tests passed (93/93).
• TypeScript typecheck passed cleanly.
• ESLint and Prettier checks passed.
• Manual testing with a path-based OAuth MCP server is pending.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

The pull request correctly addresses the issue of double-nested .well-known paths during OAuth discovery by utilizing the discoverOAuthFromWWWAuthenticate utility. This change ensures that when a resource_metadata URI is provided in the WWW-Authenticate header, it is fetched directly rather than being treated as a base URL for further path construction. The refactoring also improves code clarity by consolidating URL extraction logic and removing redundant variable declarations.

[scidomino]

Add a test and I will approve.

[maximus12793]

@scidomino done, thanks!

[scidomino]

@maximus12793 we can't merge until you sign the CLA. Please do so.

[maximus12793]

@maximus12793 we can't merge until you sign the CLA. Please do so.

Fixed, sorry about that