fix(private-server): return 404 for /.well-known/ OAuth discovery#274
Merged
Conversation
MCP clients (Claude Code) probe /.well-known/oauth-protected-resource to discover OAuth. The SPA fallback answered 200 text/html (index.html), which the client fails to parse as JSON and reports as 'needs authentication / SDK auth failed: Failed to parse JSON'. Serve 404 for /.well-known/ so the client concludes there's no OAuth and connects with the ambient Tailscale identity instead. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Follow-up to #273. With the Host check fixed, the MCP endpoint's
initializereturns 200, but Claude Code still reportsneeds authentication/SDK auth failed: Failed to parse JSON.Cause
MCP clients probe
/.well-known/oauth-protected-resource(and friends) to discover OAuth. The SPA fallback answered those with200 text/html(the Reactindex.html), so the client tried toJSON.parseHTML and failed — surfacing as "needs authentication".Verified against the live deployment:
Fix
Serve
404for/.well-known/paths instead of the SPA. Per the MCP auth spec a 404 on the protected-resource metadata means "not an OAuth-protected resource", so the client connects with the ambient identity — which here is injected by the Tailscale ingress.Adds a regression test asserting the OAuth discovery paths return 404.