Skip to content

fix: strip trailing slashes from OAuth metadata URL fields #1938

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
maxisbey wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

fix: strip trailing slashes from OAuth metadata URL fields #1938

maxisbey wants to merge 2 commits into from

Conversation

@maxisbey
Copy link
Contributor

@maxisbey maxisbey commented Jan 23, 2026

Summary

Pydantic's AnyHttpUrl automatically appends a trailing slash to bare hostnames (e.g., http://localhost:8000 becomes http://localhost:8000/). This causes OAuth metadata discovery to fail in clients that validate per RFC 8414 §3.3 and RFC 9728 §3, which require the returned issuer/resource URL to be identical to the URL used for discovery.

This broke interop with Google ADK and IBM's MCP Context Forge, which correctly perform this identity check.

Changes

Add field_serializer to strip trailing slashes during JSON serialization for:

  • OAuthMetadata.issuer (RFC 8414 §3.3)
  • ProtectedResourceMetadata.resource (RFC 9728 §3)
  • ProtectedResourceMetadata.authorization_servers (RFC 9728 §3)

The fix is at the serialization layer so the internal AnyHttpUrl representation is unchanged, but the JSON responses no longer include spurious trailing slashes.

Fixes #1919
Fixes #1265

@maxisbey
fix: strip trailing slashes from OAuth metadata URL fields
96c7a43 
Pydantic's AnyHttpUrl automatically appends a trailing slash to bare
hostnames (e.g., http://localhost:8000 becomes http://localhost:8000/).
This causes OAuth discovery to fail in clients that validate per
RFC 8414 §3.3 and RFC 9728 §3, which require the returned issuer/resource
URL to be identical to the URL used for discovery.

Add field_serializer to OAuthMetadata.issuer,
ProtectedResourceMetadata.resource, and
ProtectedResourceMetadata.authorization_servers to strip the trailing
slash during JSON serialization.

Fixes #1919
Fixes #1265

Reported-by: joar
Github-Issue: #1919
@maxisbey
refactor: use @staticmethod instead of @classmethod for field_serializer
0ab9092 
@classmethod is not the intended decorator for Pydantic's
field_serializer (unlike field_validator which requires it).
Using @staticmethod avoids IDE warnings about incorrect descriptor
protocol usage.
@claude
Copy link

claude bot commented Jan 23, 2026

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

Kludex
Kludex reviewed Jan 23, 2026
View reviewed changes
src/mcp/shared/auth.py
Comment on lines +132 to +136
@field_serializer("issuer")
@staticmethod
def _serialize_issuer(v: AnyHttpUrl) -> str:
"""Strip trailing slash added by AnyHttpUrl for RFC 8414 §3.3 compliance."""
return str(v).rstrip("/")
Copy link
Member

@Kludex Kludex Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we just use str instead of AnyHttpUrl in the field?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kludex Kludex Kludex left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

3 participants

@maxisbey @Kludex