Using /.well-known/ OAuth endpoints behind custom path on GKE

[whitewg77]

Question

I am running a simple MCP server (built with FastMCP) behind a gateway on GKE with an custom path defined by an HttpRoute. I am attempting to use the /.well-known/ endpoints for OAuth authentication and authorization. Unfortunately, it seems that the routes for the /.well-known/ endpoints; as well as the other OAuth endpoints /authorize, /token, /register, and /revoke, are all hardcoded in the MCP SDK within mcp/server/auth/routes.py within the create_auth_routes() function.

So, for example...

If my MCP server is deployed at https://{my-gateway}/custom/path/
However, the well-known endpoints are pointing to https://{my-gateway}/.well-known/*, which are obviously returning 404 Not Found responses.

When starting my server, I am passing the 'path' parameter in the mcp.run() command. Using my example above, my run command would look like -- mcp.run(transport="http", host="0.0.0.0", port=8080, path="/custom/path/mcp"). However, this path parameter seems to have zero effect on the OAuth well-known endpoints.

So, the question is... Is this expected behavior, and if so, how should we run MCP servers that use well-knonw OAuth endpoints behind API Proxies (Apigee, APIM, etc) or GKE Gateways that require a custom path?

Additional Context

mcp version -- 1.13.1
fastmcp version -- 2.11.4.dev128+5b433f5

[shulkx]

I think it is related with this pull request: #1288

[whitewg77]

Thanks @shulkx for the pull request link. However, the listed Expected Behavior in this pull request states: "The .well-known/oauth-protected-resource endpoint should always be served at the root path (/.well-known/oauth-protected-resource) regardless of the resource_server_url configuration". That seems the exact opposite of what would be needed in use cases like mine where the MCP server must run at a custom path. When attached to a GKE gateway (or Api proxy such as Apigee), serving the well-known endpoints from the root path is always going to return 404 responses.

[shulkx]

Hi @whitewg77 - The root cause is because the well-known URL generated for WWW authenticated header (used to tell the client where the well-known endpoint is) and the real well-known route endpoint are mismatched.

For WWW authenticated header, the existing implementation appends the .well-known/oauth-protected-resource directly after the resource_server_url.

http://0.0.0.0:8000/custom/path/mcp/.well-known/oauth-protected-resource

For route endpoint generation, it append the .well-known/oauth-protected-resource directly after the root URL.

http://0.0.0.0:8000/.well-known/oauth-protected-resource

Therefore, if we have customized path, it will cause a mismatch between those two and lead to 404.

I have implemented a fix for this #1407.