mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-12 21:39:59 +02:00
get_protected_resource_metadata() only attempted RFC 9728 discovery when the anonymous `initialize` probe returned 401 with a WWW-Authenticate header. Some remote MCP servers — notably Google's Gmail/Drive/Calendar MCPs (gmailmcp.googleapis.com, etc.) — answer 200 to an anonymous initialize, so OAuth scope and authorization-server discovery silently failed and connections to them could not be established. Run the discovery regardless of the probe's HTTP status: prefer the resource_metadata URL from WWW-Authenticate when present, and otherwise fall back to the RFC 9728 §4.2 well-known URIs. The trade-off is a couple of extra well-known GETs during MCP connection setup for servers that expose no PRM document; behavior for 401-responding servers is unchanged.