Skip to content

OAuth - .well-known files must allow OPTIONS and not GET only #715

New issue
New issue
Open
Open
OAuth - .well-known files must allow OPTIONS and not GET only#715
Labels
bugSomething isn't working
@KKonstantinov

Description

@KKonstantinov
KKonstantinov
opened on Jun 30, 2025

Describe the bug
In the current sample implementation:

typescript-sdk/src/server/auth/handlers/metadata.ts

Line 13 in fb4d07f

router.use(allowedMethods(['GET']));

It can be observed that the only allowed method for .well-known is GET.

This is not compatible with MCP inspector (and Claude AI), which both send an OPTIONS first to determine whether to proceed with a GET API call. Therefore, allowing GET only results in both failing. It can be observed in the latest version of MCP inspector, Guided OAuth Flow. The first step of the flow, "Metadata registration" will fail because the OPTIONS call to the oauth-authorization-server and oauth-protected-resource will fail.

To Reproduce
Steps to reproduce the behavior:

  1. Attempt Guided OAuth2 Flow when setting up OAuth in the MCP inspector v0.15.0

Expected behavior

  1. OPTIONS is allowed

Logs
No logs needed.

Additional context
The implementation of this repository should be tested against the MCP inspector as the minimum and possibly against Claude AI as the first adopter of the MCP standard.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions