Merge b766a23e36 into 3b3e12b43a

fix: MCP OAuth discovery via Protected Resource metadata flow
When an MCP server's OAuth authorization server is on a different domain (e.g., Todoist MCP at ai.todoist.net with OAuth at todoist.com), the current implementation fails because it only looks for OAuth metadata at the MCP server's domain. This commit implements the full MCP Protected Resource discovery flow as specified in the MCP authorization spec: 1. Make an unauthenticated request to the MCP endpoint 2. Parse the WWW-Authenticate header to get the resource_metadata URL 3. Fetch the Protected Resource metadata 4. Extract the authorization_servers array 5. Use those servers for OAuth metadata discovery The fix is backwards-compatible - if Protected Resource discovery fails, it falls back to the existing behavior. Fixes #19794
2025-12-11 20:05:19 +00:00 · 2025-12-11 10:29:19 +03:00 · 2025-12-07 12:53:22 +11:00 · 2025-12-02 17:28:46 -05:00 · 2025-11-25 06:01:33 -05:00 · 2025-11-25 05:31:34 -05:00
1 changed files with 77 additions and 2 deletions
--- a/backend/open_webui/utils/oauth.py
+++ b/backend/open_webui/utils/oauth.py
@ -241,6 +241,61 @@ def is_in_blocked_groups(group_name: str, groups: list) -> bool:
    return False


+async def discover_authorization_server_from_mcp(mcp_server_url: str) -> list[str]:
+    """
+    Discover OAuth authorization servers by following the MCP Protected Resource flow.
+
+    According to the MCP spec (https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization):
+    1. Make an unauthenticated request to the MCP endpoint
+    2. Parse WWW-Authenticate header to get resource_metadata URL
+    3. Fetch Protected Resource metadata to get authorization_servers
+
+    Returns:
+        List of authorization server base URLs, or empty list if discovery fails
+    """
+    authorization_servers = []
+
+    try:
+        # Step 1: Make unauthenticated request to MCP endpoint to get WWW-Authenticate header
+        async with aiohttp.ClientSession(trust_env=True) as session:
+            async with session.post(
+                mcp_server_url,
+                json={"jsonrpc": "2.0", "method": "initialize", "params": {}, "id": 1},
+                headers={"Content-Type": "application/json"},
+                ssl=AIOHTTP_CLIENT_SESSION_SSL,
+            ) as response:
+                if response.status == 401:
+                    www_auth = response.headers.get("WWW-Authenticate", "")
+
+                    # Parse resource_metadata from WWW-Authenticate header
+                    # Format: Bearer resource_metadata="https://..."
+                    match = re.search(r'resource_metadata="([^"]+)"', www_auth)
+                    if match:
+                        resource_metadata_url = match.group(1)
+                        log.debug(f"Found resource_metadata URL: {resource_metadata_url}")
+
+                        # Step 2: Fetch Protected Resource metadata
+                        async with session.get(
+                            resource_metadata_url, ssl=AIOHTTP_CLIENT_SESSION_SSL
+                        ) as resource_response:
+                            if resource_response.status == 200:
+                                resource_metadata = await resource_response.json()
+
+                                # Step 3: Extract authorization_servers
+                                servers = resource_metadata.get(
+                                    "authorization_servers", []
+                                )
+                                if servers:
+                                    authorization_servers = servers
+                                    log.debug(
+                                        f"Discovered authorization servers: {servers}"
+                                    )
+    except Exception as e:
+        log.debug(f"MCP Protected Resource discovery failed: {e}")
+
+    return authorization_servers
+
+
 def get_parsed_and_base_url(server_url) -> tuple[urllib.parse.ParseResult, str]:
    parsed = urllib.parse.urlparse(server_url)
    base_url = f"{parsed.scheme}://{parsed.netloc}"
@ -303,9 +358,29 @@ async def get_oauth_client_info_with_dynamic_client_registration(
            response_types=["code"],
        )

+        # First, try MCP Protected Resource discovery flow
+        # This handles cases where the OAuth server is on a different domain than the MCP server
+        # (e.g., Todoist MCP at ai.todoist.net, OAuth at todoist.com)
+        authorization_servers = await discover_authorization_server_from_mcp(
+            oauth_server_url
+        )
+
+        # Build discovery URLs - prioritize authorization servers from MCP discovery
+        all_discovery_urls = []
+        for auth_server in authorization_servers:
+            auth_server = auth_server.rstrip("/")
+            all_discovery_urls.extend(
+                [
+                    f"{auth_server}/.well-known/oauth-authorization-server",
+                    f"{auth_server}/.well-known/openid-configuration",
+                ]
+            )
+
+        # Fall back to standard discovery URLs based on the MCP server URL
+        all_discovery_urls.extend(get_discovery_urls(oauth_server_url))
+
        # Attempt to fetch OAuth server metadata to get registration endpoint & scopes
-        discovery_urls = get_discovery_urls(oauth_server_url)
-        for url in discovery_urls:
+        for url in all_discovery_urls:
            async with aiohttp.ClientSession(trust_env=True) as session:
                async with session.get(
                    url, ssl=AIOHTTP_CLIENT_SESSION_SSL
Author	SHA1	Message	Date
jamie-dit	5463f58d0d	Merge `b766a23e36` into `3b3e12b43a`	2025-12-11 10:29:19 +03:00
jamie	b766a23e36	fix: MCP OAuth discovery via Protected Resource metadata flow When an MCP server's OAuth authorization server is on a different domain (e.g., Todoist MCP at ai.todoist.net with OAuth at todoist.com), the current implementation fails because it only looks for OAuth metadata at the MCP server's domain. This commit implements the full MCP Protected Resource discovery flow as specified in the MCP authorization spec: 1. Make an unauthenticated request to the MCP endpoint 2. Parse the WWW-Authenticate header to get the resource_metadata URL 3. Fetch the Protected Resource metadata 4. Extract the authorization_servers array 5. Use those servers for OAuth metadata discovery The fix is backwards-compatible - if Protected Resource discovery fails, it falls back to the existing behavior. Fixes #19794	2025-12-07 12:53:22 +11:00
Tim Baek	6f1486ffd0	Merge pull request #19466 from open-webui/dev Some checks failed Python CI / Format Backend (push) Has been cancelled Details Frontend Build / Format & Build Frontend (push) Has been cancelled Details Frontend Build / Frontend Unit Tests (push) Has been cancelled Details Release / release (push) Has been cancelled Details Deploy to HuggingFace Spaces / check-secret (push) Has been cancelled Details Create and publish Docker images with specific build args / build-main-image (linux/amd64, ubuntu-latest) (push) Has been cancelled Details Create and publish Docker images with specific build args / build-main-image (linux/arm64, ubuntu-24.04-arm) (push) Has been cancelled Details Create and publish Docker images with specific build args / build-cuda-image (linux/amd64, ubuntu-latest) (push) Has been cancelled Details Create and publish Docker images with specific build args / build-cuda-image (linux/arm64, ubuntu-24.04-arm) (push) Has been cancelled Details Create and publish Docker images with specific build args / build-cuda126-image (linux/amd64, ubuntu-latest) (push) Has been cancelled Details Create and publish Docker images with specific build args / build-cuda126-image (linux/arm64, ubuntu-24.04-arm) (push) Has been cancelled Details Create and publish Docker images with specific build args / build-ollama-image (linux/amd64, ubuntu-latest) (push) Has been cancelled Details Create and publish Docker images with specific build args / build-ollama-image (linux/arm64, ubuntu-24.04-arm) (push) Has been cancelled Details Create and publish Docker images with specific build args / build-slim-image (linux/amd64, ubuntu-latest) (push) Has been cancelled Details Create and publish Docker images with specific build args / build-slim-image (linux/arm64, ubuntu-24.04-arm) (push) Has been cancelled Details Release to PyPI / release (push) Has been cancelled Details Deploy to HuggingFace Spaces / deploy (push) Has been cancelled Details Create and publish Docker images with specific build args / merge-main-images (push) Has been cancelled Details Create and publish Docker images with specific build args / merge-cuda-images (push) Has been cancelled Details Create and publish Docker images with specific build args / merge-cuda126-images (push) Has been cancelled Details Create and publish Docker images with specific build args / merge-ollama-images (push) Has been cancelled Details Create and publish Docker images with specific build args / merge-slim-images (push) Has been cancelled Details 0.6.41	2025-12-02 17:28:46 -05:00
Tim Baek	140605e660	Merge pull request #19462 from open-webui/dev Some checks failed Release to PyPI / release (push) Has been cancelled Details Release / release (push) Has been cancelled Details Deploy to HuggingFace Spaces / check-secret (push) Has been cancelled Details Create and publish Docker images with specific build args / build-main-image (linux/amd64, ubuntu-latest) (push) Has been cancelled Details Create and publish Docker images with specific build args / build-main-image (linux/arm64, ubuntu-24.04-arm) (push) Has been cancelled Details Create and publish Docker images with specific build args / build-cuda-image (linux/amd64, ubuntu-latest) (push) Has been cancelled Details Create and publish Docker images with specific build args / build-cuda-image (linux/arm64, ubuntu-24.04-arm) (push) Has been cancelled Details Create and publish Docker images with specific build args / build-cuda126-image (linux/amd64, ubuntu-latest) (push) Has been cancelled Details Create and publish Docker images with specific build args / build-cuda126-image (linux/arm64, ubuntu-24.04-arm) (push) Has been cancelled Details Create and publish Docker images with specific build args / build-ollama-image (linux/amd64, ubuntu-latest) (push) Has been cancelled Details Create and publish Docker images with specific build args / build-ollama-image (linux/arm64, ubuntu-24.04-arm) (push) Has been cancelled Details Create and publish Docker images with specific build args / build-slim-image (linux/amd64, ubuntu-latest) (push) Has been cancelled Details Create and publish Docker images with specific build args / build-slim-image (linux/arm64, ubuntu-24.04-arm) (push) Has been cancelled Details Python CI / Format Backend (push) Has been cancelled Details Frontend Build / Format & Build Frontend (push) Has been cancelled Details Frontend Build / Frontend Unit Tests (push) Has been cancelled Details Deploy to HuggingFace Spaces / deploy (push) Has been cancelled Details Create and publish Docker images with specific build args / merge-main-images (push) Has been cancelled Details Create and publish Docker images with specific build args / merge-cuda-images (push) Has been cancelled Details Create and publish Docker images with specific build args / merge-cuda126-images (push) Has been cancelled Details Create and publish Docker images with specific build args / merge-ollama-images (push) Has been cancelled Details Create and publish Docker images with specific build args / merge-slim-images (push) Has been cancelled Details 0.6.40	2025-11-25 06:01:33 -05:00
Tim Baek	9899293f05	Merge pull request #19448 from open-webui/dev 0.6.39	2025-11-25 05:31:34 -05:00
Tim Baek	e3faec62c5	Merge pull request #19416 from open-webui/dev Some checks are pending Release / release (push) Waiting to run Details Deploy to HuggingFace Spaces / check-secret (push) Waiting to run Details Deploy to HuggingFace Spaces / deploy (push) Blocked by required conditions Details Create and publish Docker images with specific build args / build-main-image (linux/amd64, ubuntu-latest) (push) Waiting to run Details Create and publish Docker images with specific build args / build-main-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run Details Create and publish Docker images with specific build args / build-cuda-image (linux/amd64, ubuntu-latest) (push) Waiting to run Details Create and publish Docker images with specific build args / build-cuda-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run Details Create and publish Docker images with specific build args / build-cuda126-image (linux/amd64, ubuntu-latest) (push) Waiting to run Details Create and publish Docker images with specific build args / build-cuda126-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run Details Create and publish Docker images with specific build args / build-ollama-image (linux/amd64, ubuntu-latest) (push) Waiting to run Details Create and publish Docker images with specific build args / build-ollama-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run Details Create and publish Docker images with specific build args / build-slim-image (linux/amd64, ubuntu-latest) (push) Waiting to run Details Create and publish Docker images with specific build args / build-slim-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run Details Create and publish Docker images with specific build args / merge-main-images (push) Blocked by required conditions Details Create and publish Docker images with specific build args / merge-cuda-images (push) Blocked by required conditions Details Create and publish Docker images with specific build args / merge-cuda126-images (push) Blocked by required conditions Details Create and publish Docker images with specific build args / merge-ollama-images (push) Blocked by required conditions Details Create and publish Docker images with specific build args / merge-slim-images (push) Blocked by required conditions Details Python CI / Format Backend (push) Waiting to run Details Frontend Build / Format & Build Frontend (push) Waiting to run Details Frontend Build / Frontend Unit Tests (push) Waiting to run Details Release to PyPI / release (push) Waiting to run Details 0.6.38	2025-11-24 07:00:31 -05:00
Tim Baek	fc05e0a6c5	Merge pull request #19405 from open-webui/dev Some checks are pending Release / release (push) Waiting to run Details Deploy to HuggingFace Spaces / check-secret (push) Waiting to run Details Deploy to HuggingFace Spaces / deploy (push) Blocked by required conditions Details Create and publish Docker images with specific build args / build-main-image (linux/amd64, ubuntu-latest) (push) Waiting to run Details Create and publish Docker images with specific build args / build-main-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run Details Create and publish Docker images with specific build args / build-cuda-image (linux/amd64, ubuntu-latest) (push) Waiting to run Details Create and publish Docker images with specific build args / build-cuda-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run Details Create and publish Docker images with specific build args / build-cuda126-image (linux/amd64, ubuntu-latest) (push) Waiting to run Details Create and publish Docker images with specific build args / build-cuda126-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run Details Create and publish Docker images with specific build args / build-ollama-image (linux/amd64, ubuntu-latest) (push) Waiting to run Details Create and publish Docker images with specific build args / build-ollama-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run Details Create and publish Docker images with specific build args / build-slim-image (linux/amd64, ubuntu-latest) (push) Waiting to run Details Create and publish Docker images with specific build args / build-slim-image (linux/arm64, ubuntu-24.04-arm) (push) Waiting to run Details Create and publish Docker images with specific build args / merge-main-images (push) Blocked by required conditions Details Create and publish Docker images with specific build args / merge-cuda-images (push) Blocked by required conditions Details Create and publish Docker images with specific build args / merge-cuda126-images (push) Blocked by required conditions Details Create and publish Docker images with specific build args / merge-ollama-images (push) Blocked by required conditions Details Create and publish Docker images with specific build args / merge-slim-images (push) Blocked by required conditions Details Python CI / Format Backend (push) Waiting to run Details Frontend Build / Format & Build Frontend (push) Waiting to run Details Frontend Build / Frontend Unit Tests (push) Waiting to run Details Release to PyPI / release (push) Waiting to run Details chore: format	2025-11-23 22:16:33 -05:00
Tim Baek	fe6783c166	Merge pull request #19030 from open-webui/dev 0.6.37	2025-11-23 22:10:05 -05:00