fix(server/oauth): use URL constructor to avoid double slash in metadata proxy

[polae]

Summary

Fixes the metadata-proxy URL construction in DCR-direct OAuth mode (oauthAuth0Provider, and any other provider whose canonical issuer ends with /).

Before: \${issuer}/.well-known/oauth-authorization-server`→https://tenant.auth0.com//.well-known/...` → Auth0 returns 404 → MCP server's /.well-known/oauth-authorization-server returns 500 server_error, which aborts Claude Desktop's OAuth flow end-to-end.

After: new URL("/.well-known/oauth-authorization-server", issuer).toString() → correct URL regardless of whether issuer carries a trailing slash.

Why this matters

auth0.ts:21 deliberately stores the issuer with a trailing slash because that's the canonical form Auth0 puts in the iss claim of every JWT, and verifyToken (auth0.ts:52) validates against this exact string. So the issuer must end with /. The bug was in the consumer not accounting for that.

Repro

Closes #1482 — full reproduction steps + direct-curl evidence (200 vs 404) are there.

Test plan

• Manual: deploy MCPServer with oauthAuth0Provider({ domain, audience }), curl /.well-known/oauth-authorization-server, confirm the response is Auth0's actual metadata JSON (issuer, registration_endpoint, etc.) instead of {"error":"server_error",...}.
• Unit test: not added (no existing test file for src/server/oauth/routes.ts). Happy to add one — a mock fetch + assertion on the constructed URL would cover this. Let me know if you'd prefer that before merge.

Notes

While confirming the bug I noticed routes.ts has similar string concatenations elsewhere (lines 295/296/297/385) that build ${baseUrl}/... URLs. Those use a different baseUrl (the MCP server's own URL, not the upstream issuer), so they may be fine — but worth a grep if anyone wants to harden the file further. Out of scope for this PR.

Changeset

Patch bump on mcp-use. Included in libraries/typescript/.changeset/fix-oauth-metadata-double-slash.md.

🤖 Generated with Claude Code

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@mcp-use/cli@1483

npm i https://pkg.pr.new/create-mcp-use-app@1483

npm i https://pkg.pr.new/@mcp-use/inspector@1483

npm i https://pkg.pr.new/mcp-use@1483

commit: e7fe8b6

[github-actions]

MCP Conformance Test Results

Commit: e7fe8b6

Server Conformance

SDK	Score	vs main	vs canary
typescript	30/30 (100%)	⚪ +0	⚪ +0

All passing — click to expand

Scenario	typescript
completion-complete	✅
dns-rebinding-protection	✅
elicitation-sep1034-defaults	✅
elicitation-sep1330-enums	✅
logging-set-level	✅
ping	✅
prompts-get-embedded-resource	✅
prompts-get-simple	✅
prompts-get-with-args	✅
prompts-get-with-image	✅
prompts-list	✅
resources-list	✅
resources-read-binary	✅
resources-read-text	✅
resources-subscribe	✅
resources-templates-read	✅
resources-unsubscribe	✅
server-initialize	✅
server-sse-multiple-streams	✅
tools-call-audio	✅
tools-call-elicitation	✅
tools-call-embedded-resource	✅
tools-call-error	✅
tools-call-image	✅
tools-call-mixed-content	✅
tools-call-sampling	✅
tools-call-simple-text	✅
tools-call-with-logging	✅
tools-call-with-progress	✅
tools-list	✅

Client Conformance

SDK	Score	vs main	vs canary
typescript-browser-client	20/20 (100%)	⚪ +0	⚪ +0
typescript-node-client	20/20 (100%)	⚪ +0	⚪ +0
typescript-react-client	20/20 (100%)	⚪ +0	⚪ +0

All passing — click to expand

Scenario	typescript-browser-client	typescript-node-client	typescript-react-client
auth/2025-03-26-oauth-endpoint-fallback	✅	✅	✅
auth/2025-03-26-oauth-metadata-backcompat	✅	✅	✅
auth/basic-cimd	✅	✅	✅
auth/metadata-default	✅	✅	✅
auth/metadata-var1	✅	✅	✅
auth/metadata-var2	✅	✅	✅
auth/metadata-var3	✅	✅	✅
auth/pre-registration	✅	✅	✅
auth/scope-from-scopes-supported	✅	✅	✅
auth/scope-from-www-authenticate	✅	✅	✅
auth/scope-omitted-when-undefined	✅	✅	✅
auth/scope-retry-limit	✅	✅	✅
auth/scope-step-up	✅	✅	✅
auth/token-endpoint-auth-basic	✅	✅	✅
auth/token-endpoint-auth-none	✅	✅	✅
auth/token-endpoint-auth-post	✅	✅	✅
elicitation-sep1034-client-defaults	✅	✅	✅
initialize	✅	✅	✅
sse-retry	✅	✅	✅
tools_call	✅	✅	✅

View full run details