Add root-level OAuth discovery endpoint returning 404

Copilot · pelikhan · Copilot · commit 54cd9361c6a9 · 2026-02-04T22:53:47.000Z
- Add handler at /.well-known/oauth-authorization-server for both unified and routed modes
- Prevents requests from hanging by returning immediate 404 response
- Add comprehensive tests for both root and MCP-prefixed OAuth discovery paths
- Fixes timeout issues with Codex MCP client OAuth discovery attempts

Co-authored-by: pelikhan &lt;4175913+pelikhan@users.noreply.github.com&gt;
diff --git a/internal/server/routed.go b/internal/server/routed.go
@@ -82,7 +82,10 @@ func CreateHTTPServerForRoutedMode(addr string, unifiedServer *UnifiedServer, ap
 	logRouted.Printf("Creating HTTP server for routed mode: addr=%s", addr)
 	mux := http.NewServeMux()
 
-	// OAuth discovery endpoint - return 404 since we don't use OAuth
+	// OAuth discovery endpoints - return 404 since we don't use OAuth
+	// Standard path for OAuth discovery (per RFC 8414)
+	mux.Handle("/.well-known/oauth-authorization-server", withResponseLogging(handleOAuthDiscovery()))
+	// MCP-prefixed path for backward compatibility
 	mux.Handle("/mcp/.well-known/oauth-authorization-server", withResponseLogging(handleOAuthDiscovery()))
 
 	// Create routes for all backends, plus sys only if DIFC is enabled
diff --git a/internal/server/routed_test.go b/internal/server/routed_test.go
@@ -553,3 +553,61 @@ func TestCreateFilteredServer_EdgeCases(t *testing.T) {
 		assert.Equal(t, "tool2", backend2Tools[0].Name)
 	})
 }
+
+// TestCreateHTTPServerForRoutedMode_OAuth tests OAuth discovery endpoint in routed mode
+func TestCreateHTTPServerForRoutedMode_OAuth(t *testing.T) {
+	tests := []struct {
+		name           string
+		path           string
+		method         string
+		wantStatusCode int
+	}{
+		{
+			name:           "OAuthDiscovery_GET_MCPPath",
+			path:           "/mcp/.well-known/oauth-authorization-server",
+			method:         "GET",
+			wantStatusCode: http.StatusNotFound,
+		},
+		{
+			name:           "OAuthDiscovery_POST_MCPPath",
+			path:           "/mcp/.well-known/oauth-authorization-server",
+			method:         "POST",
+			wantStatusCode: http.StatusNotFound,
+		},
+		{
+			name:           "OAuthDiscovery_GET_RootPath",
+			path:           "/.well-known/oauth-authorization-server",
+			method:         "GET",
+			wantStatusCode: http.StatusNotFound,
+		},
+		{
+			name:           "OAuthDiscovery_POST_RootPath",
+			path:           "/.well-known/oauth-authorization-server",
+			method:         "POST",
+			wantStatusCode: http.StatusNotFound,
+		},
+	}
+
+	// Create minimal unified server
+	ctx := context.Background()
+	cfg := &config.Config{
+		Servers: map[string]*config.ServerConfig{},
+	}
+	us, err := NewUnified(ctx, cfg)
+	require.NoError(t, err)
+	defer us.Close()
+
+	// Create HTTP server in routed mode without API key
+	httpServer := CreateHTTPServerForRoutedMode(":0", us, "")
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := httptest.NewRequest(tt.method, tt.path, nil)
+			w := httptest.NewRecorder()
+
+			httpServer.Handler.ServeHTTP(w, req)
+
+			assert.Equal(t, tt.wantStatusCode, w.Code, "Should return 404 for OAuth discovery")
+		})
+	}
+}
diff --git a/internal/server/transport.go b/internal/server/transport.go
@@ -60,7 +60,10 @@ func CreateHTTPServerForMCP(addr string, unifiedServer *UnifiedServer, apiKey st
 	logTransport.Printf("Creating HTTP server for MCP: addr=%s, auth_enabled=%v", addr, apiKey != "")
 	mux := http.NewServeMux()
 
-	// OAuth discovery endpoint - return 404 since we don't use OAuth
+	// OAuth discovery endpoints - return 404 since we don't use OAuth
+	// Standard path for OAuth discovery (per RFC 8414)
+	mux.Handle("/.well-known/oauth-authorization-server", withResponseLogging(handleOAuthDiscovery()))
+	// MCP-prefixed path for backward compatibility
 	mux.Handle("/mcp/.well-known/oauth-authorization-server", withResponseLogging(handleOAuthDiscovery()))
 
 	logTransport.Print("Registering streamable HTTP handler for MCP protocol")
diff --git a/internal/server/transport_test.go b/internal/server/transport_test.go
@@ -233,17 +233,29 @@ func TestCreateHTTPServerForMCP_OAuth(t *testing.T) {
 		wantStatusCode int
 	}{
 		{
-			name:           "OAuthDiscovery_GET",
+			name:           "OAuthDiscovery_GET_MCPPath",
 			path:           "/mcp/.well-known/oauth-authorization-server",
 			method:         "GET",
 			wantStatusCode: http.StatusNotFound,
 		},
 		{
-			name:           "OAuthDiscovery_POST",
+			name:           "OAuthDiscovery_POST_MCPPath",
 			path:           "/mcp/.well-known/oauth-authorization-server",
 			method:         "POST",
 			wantStatusCode: http.StatusNotFound,
 		},
+		{
+			name:           "OAuthDiscovery_GET_RootPath",
+			path:           "/.well-known/oauth-authorization-server",
+			method:         "GET",
+			wantStatusCode: http.StatusNotFound,
+		},
+		{
+			name:           "OAuthDiscovery_POST_RootPath",
+			path:           "/.well-known/oauth-authorization-server",
+			method:         "POST",
+			wantStatusCode: http.StatusNotFound,
+		},
 	}
 
 	// Create minimal unified server
