Explicitly define the Authorization Base URL

[allenzhou101]

This PR defines how to construct the OAuth server's base URL from the SSE endpoint URL. This base URL is used to locate both the Metadata Discovery endpoint and Fallback authorization endpoints.

Motivation and Context

The draft Authorization Specification includes mention of a baseUrl that the Metadata and Fallback endpoints are constructed relative to. However, it doesn't specify how to actually construct this baseUrl.

In the original Authorization Support PR there was some discussion about having a stricter definition for the server's baseUrl although at the time it was unspecified.

Given the implementations of OAuth Metadata Discovery in the Inspector and Typescript SDK it seems the baseUrl is derived from simply taking the scheme, protocol, and port from the SSE Url used during connection.

It's necessary for MCP Clients to understand how to construct this URL in order to properly authenticate, so this PR formalizes the definition relative to the SSE Url.

Another tiny problem was that there were multiple 2.3.1 sections in the Authorization page.

How Has This Been Tested?

Verified by running the docs locally that all links and references are correct and that everything looks fine visually.

Breaking Changes

None

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

The downside of this approach is the inflexibility it provides when wanting to host multiple MCP Servers on one domain. Down the line we'll likely want to allow the MCP Client to explicitly configure the Base/Issuer URL which would take priority. Also it's weird from the perspective of URL structure inconsistency, version management, etc.

Other options include:

• Allow the server to specify its base URL in the SSE response headers or 401 Unauthorized response (already discussed in the Authorization Support PR as not ideal for client implementation)
• Separate discovery endpoint (eg. /.well-known/mcp) - was also discussed already
• Preserver path and simply remove the outermost layer (eg. example.com/api/sse becomes example.com/api) - Think this is also a reasonable approach but maybe a little more complicated to handle as a client

[jspahrsummers]

Thanks, this is a good thing to clarify! To be more precise in how this works, though, this is really just a path replacement on a URL.

[allenzhou101]

Agreed, thanks!

[jspahrsummers]

Thank you!