Describe the bug
The official MCP client at https://github.com/modelcontextprotocol/python-sdk expects to be able to fetch a Protected Resource Metadata document in order to locate the correct auth server.
Specifically, for an MCP server at e.g. https://api.salesforce.com/platform/mcp/v1-beta.2/sandbox/sobject-all, the client tries to fetch one of:
https://api.salesforce.com/.well-known/oauth-protected-resource/platform/mcp/v1-beta.2/sandbox/sobject-all
https://api.salesforce.com/.well-known/oauth-protected-resource
It appears that SalesForce has not implemented either of those URLs. The client then falls back on directly fetching https://api.salesforce.com/.well-known/oauth-authorization-server, which is wrong for sandbox servers: the correct document is at https://api.salesforce.com/.well-known/oauth-authorization-server/platform/mcp/v1-beta.2/sandbox/sobject-all.
Before the protected resource flow was implemented, the Python MCP client used to directly fetch the correct auth server metadata document, but that was removed in modelcontextprotocol/python-sdk#1624, which has a note:
Breaking Changes
Some invalid server configurations will no longer work (these violate RFC specifications):
- No PRM available AND OASM at a path other than root
- PRM returns auth server URL with path, but OASM only exists at root
These configurations are not expected to exist in practice.
The SalesForce MCP server should add support for the Protected Resource Metadata document, both for compatibility with the official client SDK and because this document is listed as a MUST requirement in mcp protocol 2025-06-18 and newer. (https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization#authorization-flow, https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization#authorization-server-location)
Steps to reproduce
- Fetch https://api.salesforce.com/platform/mcp/v1-beta.2/sandbox/sobject-all
Expected behavior
Server should return a WWW-Authenticate response header pointing at https://api.salesforce.com/.well-known/oauth-protected-resource/platform/mcp/v1-beta.2/sandbox/sobject-all
Actual behavior
Server returns no response header. Server returns a 404 for https://api.salesforce.com/.well-known/oauth-protected-resource/platform/mcp/v1-beta.2/sandbox/sobject-all
Environment
Sandbox; python library mcp = "1.26.0"
Logs / error output
HTTP Request: POST https://api.salesforce.com/platform/mcp/v1-beta.2/sandbox/sobject-all "HTTP/1.1 401 Unauthorized"
HTTP Request: GET https://api.salesforce.com/.well-known/oauth-protected-resource/platform/mcp/v1-beta.2/sandbox/sobject-all "HTTP/1.1 404 Not Found"
Protected resource metadata discovery failed: https://api.salesforce.com/.well-known/oauth-protected-resource/platform/mcp/v1-beta.2/sandbox/sobject-all
HTTP Request: GET https://api.salesforce.com/.well-known/oauth-protected-resource "HTTP/1.1 404 Not Found"
Protected resource metadata discovery failed: https://api.salesforce.com/.well-known/oauth-protected-resource
HTTP Request: GET https://api.salesforce.com/.well-known/oauth-authorization-server "HTTP/1.1 200 OK"
Additional context
No response
Describe the bug
The official MCP client at https://github.com/modelcontextprotocol/python-sdk expects to be able to fetch a Protected Resource Metadata document in order to locate the correct auth server.
Specifically, for an MCP server at e.g. https://api.salesforce.com/platform/mcp/v1-beta.2/sandbox/sobject-all, the client tries to fetch one of:
https://api.salesforce.com/.well-known/oauth-protected-resource/platform/mcp/v1-beta.2/sandbox/sobject-all
https://api.salesforce.com/.well-known/oauth-protected-resource
It appears that SalesForce has not implemented either of those URLs. The client then falls back on directly fetching https://api.salesforce.com/.well-known/oauth-authorization-server, which is wrong for sandbox servers: the correct document is at https://api.salesforce.com/.well-known/oauth-authorization-server/platform/mcp/v1-beta.2/sandbox/sobject-all.
Before the protected resource flow was implemented, the Python MCP client used to directly fetch the correct auth server metadata document, but that was removed in modelcontextprotocol/python-sdk#1624, which has a note:
The SalesForce MCP server should add support for the Protected Resource Metadata document, both for compatibility with the official client SDK and because this document is listed as a MUST requirement in mcp protocol 2025-06-18 and newer. (https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization#authorization-flow, https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization#authorization-server-location)
Steps to reproduce
Expected behavior
Server should return a WWW-Authenticate response header pointing at https://api.salesforce.com/.well-known/oauth-protected-resource/platform/mcp/v1-beta.2/sandbox/sobject-all
Actual behavior
Server returns no response header. Server returns a 404 for https://api.salesforce.com/.well-known/oauth-protected-resource/platform/mcp/v1-beta.2/sandbox/sobject-all
Environment
Sandbox; python library mcp = "1.26.0"
Logs / error output
Additional context
No response