Files
open-webui/backend/open_webui/utils
Alberto de la Cruz 718b226177 fix: discover MCP Protected Resource Metadata when server does not return 401 (#25980)
get_protected_resource_metadata() only attempted RFC 9728 discovery when
the anonymous `initialize` probe returned 401 with a WWW-Authenticate
header. Some remote MCP servers — notably Google's Gmail/Drive/Calendar
MCPs (gmailmcp.googleapis.com, etc.) — answer 200 to an anonymous
initialize, so OAuth scope and authorization-server discovery silently
failed and connections to them could not be established.

Run the discovery regardless of the probe's HTTP status: prefer the
resource_metadata URL from WWW-Authenticate when present, and otherwise
fall back to the RFC 9728 §4.2 well-known URIs. The trade-off is a couple
of extra well-known GETs during MCP connection setup for servers that
expose no PRM document; behavior for 401-responding servers is unchanged.
2026-06-29 04:34:36 -05:00
..
2026-06-19 15:34:43 +02:00
2026-06-17 00:36:34 +02:00
2026-06-17 02:52:35 +02:00
2026-06-29 03:58:00 -05:00
2026-06-29 00:05:10 -05:00
2026-06-24 14:13:58 +02:00
2026-06-01 13:56:55 -07:00
2026-06-29 00:35:54 -05:00
2026-06-29 03:13:17 -05:00
2026-06-23 00:25:21 +02:00
2026-06-29 00:18:40 -05:00
2026-06-25 14:37:05 +01:00
2026-06-23 23:35:44 +02:00
2026-06-19 00:16:06 +02:00
2026-06-29 04:03:06 -05:00
2026-06-01 13:56:55 -07:00