OAuth operational routes for auth.providers created at base_url but declared to be at issuer_url in /.well-known/oauth-authorization-server #2287
Description
Description
Following https://gofastmcp.com/deployment/http#mounting-authenticated-servers for GoogleProvider
I think there's a bug:
- operational routes (/authorize, /token) get mounted on base_url/ (correct afaik)
- but /.well-known/oauth-authorization-server says they are at issuer_url/
Example Code
auth = GitHubProvider(
client_id="your-client-id",
client_secret="your-client-secret",
issuer_url=ROOT_URL, # Discovery metadata at root
base_url=f"{ROOT_URL}{MOUNT_PREFIX}", # Operational endpoints under prefix
)
this leads to:
{ROOT_URL}/.well-known/oauth-authorization-server
returning:
{"issuer":"{ROOT_URL}/","authorization_endpoint":"{ROOT_URL}/authorize","token_endpoint":"{ROOT_URL}/token","registration_endpoint":"{ROOT_URL}/register","scopes_supported":["openid"],"response_types_supported":["code"],"grant_types_supported":["authorization_code","refresh_token"],"token_endpoint_auth_methods_supported":["client_secret_post"],"code_challenge_methods_supported":["S256"]}
while those operational routes are actually at {ROOT_URL}{MOUNT_PREFIX}Version Information
v2.13.0.1