fix: throw error on auth fallback for non-root AS paths

guoyangzhen · guoyangzhen · commit c748ffae7422 · 2026-03-20T23:13:21.000+08:00
Fixes #1716 When authorization server metadata discovery fails and the server URL has a non-root path, the fallback to /authorize, /token, and /register endpoints silently constructs wrong URLs (losing the path prefix). This fix throws a descriptive error instead of silently redirecting to nonexistent endpoints. Affected locations: - startAuthorization: /authorize fallback - executeTokenRequest: /token fallback - registerClient: /register fallback
diff --git a/packages/client/src/client/auth.ts b/packages/client/src/client/auth.ts
@@ -1200,6 +1200,11 @@ export async function startAuthorization(
         ) {
             throw new Error(`Incompatible auth server: does not support code challenge method ${AUTHORIZATION_CODE_CHALLENGE_METHOD}`);
         }
+    } else if (authorizationServerUrl.pathname !== '/') {
+        throw new Error(
+          `Authorization server metadata discovery failed and the server URL (${authorizationServerUrl}) has a non-root path. ` +
+          `Cannot determine the authorization endpoint. Please ensure the authorization server is reachable and supports metadata discovery.`
+        );
     } else {
         authorizationUrl = new URL('/authorize', authorizationServerUrl);
     }
@@ -1283,7 +1288,14 @@ async function executeTokenRequest(
         fetchFn?: FetchLike;
     }
 ): Promise<OAuthTokens> {
-    const tokenUrl = metadata?.token_endpoint ? new URL(metadata.token_endpoint) : new URL('/token', authorizationServerUrl);
+    const tokenUrl = metadata?.token_endpoint
+      ? new URL(metadata.token_endpoint)
+      : authorizationServerUrl.pathname !== '/'
+        ? (() => { throw new Error(
+            `Authorization server metadata discovery failed and the server URL (${authorizationServerUrl}) has a non-root path. ` +
+            `Cannot determine the token endpoint.`
+          ); })()
+        : new URL('/token', authorizationServerUrl);
 
     const headers = new Headers({
         'Content-Type': 'application/x-www-form-urlencoded',
@@ -1530,6 +1542,12 @@ export async function registerClient(
 
         registrationUrl = new URL(metadata.registration_endpoint);
     } else {
+        if (authorizationServerUrl.pathname !== '/') {
+            throw new Error(
+              `Authorization server metadata discovery failed and the server URL (${authorizationServerUrl}) has a non-root path. ` +
+              `Cannot determine the registration endpoint.`
+            );
+        }
         registrationUrl = new URL('/register', authorizationServerUrl);
     }
 
