-
Notifications
You must be signed in to change notification settings - Fork 3.3k
Using /.well-known/ OAuth endpoints behind custom path on GKE #1335
Copy link
Copy link
Open
Labels
P2Moderate issues affecting some users, edge cases, potentially valuable featureModerate issues affecting some users, edge cases, potentially valuable featureauthIssues and PRs related to Authentication / OAuthIssues and PRs related to Authentication / OAuthenhancementRequest for a new feature that's not currently supportedRequest for a new feature that's not currently supportedgood first issueGood for newcomersGood for newcomersquestionFurther information is requestedFurther information is requestedready for workEnough information for someone to start working onEnough information for someone to start working on
Description
Metadata
Metadata
Assignees
Labels
P2Moderate issues affecting some users, edge cases, potentially valuable featureModerate issues affecting some users, edge cases, potentially valuable featureauthIssues and PRs related to Authentication / OAuthIssues and PRs related to Authentication / OAuthenhancementRequest for a new feature that's not currently supportedRequest for a new feature that's not currently supportedgood first issueGood for newcomersGood for newcomersquestionFurther information is requestedFurther information is requestedready for workEnough information for someone to start working onEnough information for someone to start working on
Question
I am running a simple MCP server (built with FastMCP) behind a gateway on GKE with an custom path defined by an HttpRoute. I am attempting to use the /.well-known/ endpoints for OAuth authentication and authorization. Unfortunately, it seems that the routes for the /.well-known/ endpoints; as well as the other OAuth endpoints /authorize, /token, /register, and /revoke, are all hardcoded in the MCP SDK within mcp/server/auth/routes.py within the create_auth_routes() function.
So, for example...
If my MCP server is deployed at https://{my-gateway}/custom/path/
However, the well-known endpoints are pointing to https://{my-gateway}/.well-known/*, which are obviously returning 404 Not Found responses.
When starting my server, I am passing the 'path' parameter in the mcp.run() command. Using my example above, my run command would look like -- mcp.run(transport="http", host="0.0.0.0", port=8080, path="/custom/path/mcp"). However, this path parameter seems to have zero effect on the OAuth well-known endpoints.
So, the question is... Is this expected behavior, and if so, how should we run MCP servers that use well-knonw OAuth endpoints behind API Proxies (Apigee, APIM, etc) or GKE Gateways that require a custom path?
Additional Context
mcp version -- 1.13.1
fastmcp version -- 2.11.4.dev128+5b433f5