OAuth operational routes for auth.providers created at base_url but declared to be at issuer_url in /.well-known/oauth-authorization-server

[jtewright]

Description

Following https://gofastmcp.com/deployment/http#mounting-authenticated-servers for GoogleProvider

I think there's a bug:

• operational routes (/authorize, /token) get mounted on base_url/ (correct afaik)
• but /.well-known/oauth-authorization-server says they are at issuer_url/

Example Code

auth = GitHubProvider(
    client_id="your-client-id",
    client_secret="your-client-secret",
    issuer_url=ROOT_URL,  # Discovery metadata at root
    base_url=f"{ROOT_URL}{MOUNT_PREFIX}",  # Operational endpoints under prefix
)

this leads to:

{ROOT_URL}/.well-known/oauth-authorization-server

returning:

{"issuer":"{ROOT_URL}/","authorization_endpoint":"{ROOT_URL}/authorize","token_endpoint":"{ROOT_URL}/token","registration_endpoint":"{ROOT_URL}/register","scopes_supported":["openid"],"response_types_supported":["code"],"grant_types_supported":["authorization_code","refresh_token"],"token_endpoint_auth_methods_supported":["client_secret_post"],"code_challenge_methods_supported":["S256"]}

while those operational routes are actually at {ROOT_URL}{MOUNT_PREFIX}

Version Information

v2.13.0.1

[jtewright]

Potential solution is to not follow the mounting strategy suggested in the docs and to instead pass {ROOT_URL}{MOUNT_PREFIX} to both base_url and issuer_url. This leads the metadata returned from /.well-known/oauth-authorization-server to be correct for the operational roots. The .well-known routes have to be manually mounted at {ROOT_URL} though as the auth provider will only automatically mount them at {ROOT_URL}{MOUNT_PREFIX} where they won't be discovered by clients.