/.well-known/oauth-protected-resource returns 404 while /.well-known/oauth-protected-resource/mcp returns 200

[xanoysky]

Description

When deployed, the OAuth protected-resource discovery endpoint is sometimes only exposed under the MCP mount prefix (e.g. /mcp/.well-known/oauth-protected-resource) while the standard root path /.well-known/oauth-protected-resource returns 404. This breaks VS Code and other OAuth clients that expect the standard discovery URL.

Example logs:

INFO: xx.xxx.xx.xx:YYYYY - "GET /.well-known/oauth-protected-resource HTTP/1.1" 404 Not Found
INFO: xx.xxx.xx.xxx:YYYYY - "GET /.well-known/oauth-protected-resource/mcp HTTP/1.1" 200 OK

Example Code

Version Information

FastMCP version:                                                                        2.12.4
MCP version:                                                                            1.13.1
Python version:                                                                         3.11.4

[jlowin]

I don’t think this is the case in most testing so I need an MRE of how you’re configuring your server to test and solve!

[jlowin]

I've opened #2119 which solves the problem you described in text (the mount path prefixing the .well-known path). However note that the problem in your logs is subtly different; MCP permits path-scoped protected resource urls like /.well-known/oauth-protected-resource/mcp

[jlowin]

Sorry I believe this is actually related to modelcontextprotocol/python-sdk#1407 and affects FastMCP users running mcp==1.17 or higher

[jlowin]

See also https://github.com/jlowin/fastmcp/releases/tag/v2.12.5 as an interim solution