Describe the Bug
Per IETF standard (https://www.rfc-editor.org/rfc/rfc8414.txt - section 3.1), the client should insert the “/.well-known/oauth-authorization-server” between the authorization server host and path. Excerpt from the standard:
The client would make the following request when the
issuer identifier is “https://example.com/issuer1” and the well-known
URI suffix is “oauth-authorization-server” to obtain the metadata,
since the issuer identifier contains a path component:
GET /.well-known/oauth-authorization-server/issuer1 HTTP/1.1
Host: example.com
However Cursor omits the path component and sends this request:
GET /.well-known/oauth-authorization-server HTTP/1.1
Host: example.com
Steps to Reproduce
Connect to an MCP server that returns the following content from the “/.well-known/oauth-protected-resource” endpoint:
{
“resource”: “schema+host/resource1”,
“authorization_servers”: [
“schema+host/resource1”
],
“scopes_supported”: [
“scp1”
]
}
Expected Behavior
Cursor sends a GET request to this authorization server URL:
schema+host/.well-known/oauth-authorization-server/resource1
But Actual Behavior is that Cursor sends a GET request to this authorization server URL (without /resource1):
schema+host/.well-known/oauth-authorization-server
Operating System
Windows 10/11
Current Cursor Version (Menu → About Cursor → Copy)
Version: 1.3.5 (user setup)
VSCode Version: 1.99.3
Commit: 9f33c2e793460d00cf95c06d957e1d1b8135fad0
Date: 2025-07-30T00:37:52.749Z
Electron: 34.5.1
Chromium: 132.0.6834.210
Node.js: 20.19.0
V8: 13.2.152.41-electron.0
OS: Windows_NT x64 10.0.26100
Does this stop you from using Cursor
Yes - Cursor is unusable