Opening this issue per conversation with @localden from MCP summit...
Is your feature request related to a problem? Please describe.
Currently the auth spec relies on a 401 with the WWW-Authenticate header containing the protected metadata info so that the client knows where to authenticate to.
This causes and issue for any MCP server protected by gateway/proxy that does the initial protection of validating the tokens before they reach the MCP server. These proxies are not aware of needing to provide the addition header info so by default all these proxies return a 401 without the extra header info. Causing auth to fail per the spec.
Describe the solution you'd like
A fallback built into the spec that if the WWW-Authenticate is missing from the 401, the client should try to grab the protected metadata from the root domain that its connected to. This gives all users with a gateway a predictable way to integrate.
Describe alternatives you've considered
We could customize our gateways to include the header info, but this is an app detail that our infra is not ideal to be getting into. Other users will benefit from this feature with any gateway infra.
Opening this issue per conversation with @localden from MCP summit...
Is your feature request related to a problem? Please describe.
Currently the auth spec relies on a 401 with the
WWW-Authenticateheader containing the protected metadata info so that the client knows where to authenticate to.This causes and issue for any MCP server protected by gateway/proxy that does the initial protection of validating the tokens before they reach the MCP server. These proxies are not aware of needing to provide the addition header info so by default all these proxies return a 401 without the extra header info. Causing auth to fail per the spec.
Describe the solution you'd like
A fallback built into the spec that if the
WWW-Authenticateis missing from the 401, the client should try to grab the protected metadata from the root domain that its connected to. This gives all users with a gateway a predictable way to integrate.Describe alternatives you've considered
We could customize our gateways to include the header info, but this is an app detail that our infra is not ideal to be getting into. Other users will benefit from this feature with any gateway infra.