change issuer semantics

Author: pcarleton

src/mcp/server/auth/settings.py

@@ -15,15 +15,9 @@ class RevocationOptions(BaseModel):
 class AuthSettings(BaseModel):
     issuer_url: AnyHttpUrl = Field(
         ...,
-        description="Base URL where this server is reachable. For AS: OAuth issuer URL. For RS: Resource server URL.",
+        description="OAuth authorization server URL that issues tokens for this resource server.",
     )
     service_documentation_url: AnyHttpUrl | None = None
     client_registration_options: ClientRegistrationOptions | None = None
     revocation_options: RevocationOptions | None = None
     required_scopes: list[str] | None = None
-
-    # Resource Server settings (when operating as RS only)
-    authorization_servers: list[AnyHttpUrl] | None = Field(
-        None,
-        description="Authorization servers that can issue tokens for this resource (RS mode)",
-    )

src/mcp/server/fastmcp/server.py

@@ -120,6 +120,14 @@ class Settings(BaseSettings, Generic[LifespanResultT]):
     # Transport security settings (DNS rebinding protection)
     transport_security: TransportSecuritySettings | None = None
 
+    def get_resource_server_url(self) -> str:
+        """Construct the resource server URL from host and port settings."""
+        scheme = "https" if self.port == 443 else "http"
+        if self.port in (80, 443):
+            return f"{scheme}://{self.host}"
+        else:
+            return f"{scheme}://{self.host}:{self.port}"
+
 
 def lifespan_wrapper(
     app: FastMCP,
@@ -743,11 +751,12 @@ async def handle_sse(scope: Scope, receive: Receive, send: Send):
         if self._token_verifier:
             # Determine resource metadata URL
             resource_metadata_url = None
-            if self.settings.auth and self.settings.auth.authorization_servers:
+            if self.settings.auth:
                 from pydantic import AnyHttpUrl
 
+                resource_server_url = self.settings.get_resource_server_url()
                 resource_metadata_url = AnyHttpUrl(
-                    str(self.settings.auth.issuer_url).rstrip("/") + "/.well-known/oauth-protected-resource"
+                    resource_server_url.rstrip("/") + "/.well-known/oauth-protected-resource"
                 )
 
             # Auth is enabled, wrap the endpoints with RequireAuthMiddleware
@@ -785,13 +794,15 @@ async def sse_endpoint(request: Request) -> Response:
                 )
             )
         # Add protected resource metadata endpoint if configured as RS
-        if self.settings.auth and self.settings.auth.authorization_servers:
+        if self.settings.auth:
             from mcp.server.auth.routes import create_protected_resource_routes
+            from pydantic import AnyHttpUrl
 
+            resource_server_url = AnyHttpUrl(self.settings.get_resource_server_url())
             routes.extend(
                 create_protected_resource_routes(
-                    resource_url=self.settings.auth.issuer_url,
-                    authorization_servers=self.settings.auth.authorization_servers,
+                    resource_url=resource_server_url,
+                    authorization_servers=[self.settings.auth.issuer_url],
                     scopes_supported=self.settings.auth.required_scopes,
                 )
             )
@@ -858,11 +869,12 @@ async def handle_streamable_http(scope: Scope, receive: Receive, send: Send) ->
         if self._token_verifier:
             # Determine resource metadata URL
             resource_metadata_url = None
-            if self.settings.auth and self.settings.auth.authorization_servers:
+            if self.settings.auth:
                 from pydantic import AnyHttpUrl
 
+                resource_server_url = self.settings.get_resource_server_url()
                 resource_metadata_url = AnyHttpUrl(
-                    str(self.settings.auth.issuer_url).rstrip("/") + "/.well-known/oauth-protected-resource"
+                    resource_server_url.rstrip("/") + "/.well-known/oauth-protected-resource"
                 )
 
             routes.append(
@@ -881,14 +893,16 @@ async def handle_streamable_http(scope: Scope, receive: Receive, send: Send) ->
             )
 
         # Add protected resource metadata endpoint if configured as RS
-        if self.settings.auth and self.settings.auth.authorization_servers:
+        if self.settings.auth:
             from mcp.server.auth.handlers.metadata import ProtectedResourceMetadataHandler
             from mcp.server.auth.routes import cors_middleware
             from mcp.shared.auth import ProtectedResourceMetadata
+            from pydantic import AnyHttpUrl
 
+            resource_server_url = AnyHttpUrl(self.settings.get_resource_server_url())
             protected_resource_metadata = ProtectedResourceMetadata(
-                resource=self.settings.auth.issuer_url,
-                authorization_servers=self.settings.auth.authorization_servers,
+                resource=resource_server_url,
+                authorization_servers=[self.settings.auth.issuer_url],
                 scopes_supported=self.settings.auth.required_scopes,
             )
             routes.append(