Describe the Bug
In RFC 8414, it says:
The client would make the following request when the
issuer identifier is “https://example.com/issuer1” and the well-known
URI suffix is “oauth-authorization-server” to obtain the metadata,
since the issuer identifier contains a path component:
GET /.well-known/oauth-authorization-server/issuer1 HTTP/1.1
Host: example.com
But Cursor requests the auth server meta data without ending /issue1 path
Steps to Reproduce
Use the following Bun code to simulate a simple oauth server that can reproduce the bug:
import { serve, type BunRequest } from "bun"
import { nanoid } from "nanoid"
const PORT = 3333;
const BASE_URL = `http://localhost:${PORT}`
async function protectedHandler() {
console.log("accessing /openapi/mcp")
return new Response(
JSON.stringify({ message: "This is a protected route" }),
{
headers: {
"Content-Type": "application/json",
"WWW-Authenticate": `Bearer resource_metadata="${BASE_URL}/mcp/oauth-protected-resource"`
},
status: 401
}
)
}
async function oauthProtectedResource() {
console.log("accessing /mcp/oauth-protected-resource")
return new Response(
JSON.stringify({
resource: `${BASE_URL}/openapi/mcp`, // resource should match the URL in the WWW-Authenticate header
authorization_servers: [`${BASE_URL}/mcp`] // with /mcp, the client should request .well-known/oauth-authorization-server/mcp
}),
{
headers: { "Content-Type": "application/json" }
}
)
}
async function oauthAuthorizationServer(req: BunRequest<"/.well-known/oauth-authorization-server/:issuer">) {
const { issuer } = req.params;
console.log("accessing /mcp/.well-known/oauth-authorization-server, issuer", issuer)
if (issuer !== "mcp") {
return new Response("Not Found", { status: 404 });
}
return new Response(
JSON.stringify({
issuer: `${BASE_URL}/mcp`, // match the URL in authorization_servers above
authorization_endpoint: `${BASE_URL}/mcp/authorize`, // for browser to request authorization
token_endpoint: `${BASE_URL}/mcp/token`, // for token generation
registration_endpoint: `${BASE_URL}/mcp/register`, // for client registration
response_types_supported: ["code"],
code_challenge_methods_supported: ["S256"]
}),
{
headers: { "Content-Type": "application/json" }
}
)
}
async function oauthRegister(req: Request) {
console.log("accessing /mcp/register")
const request: any = await req.json()
console.log(request)
return new Response(
JSON.stringify({
client_id: nanoid(10),
redirect_uris: request.redirect_uris,
client_name: request.client_name,
client_uri: request.client_uri,
grant_types: ["authorization_code", "refresh_token"]
}),
{
headers: { "Content-Type": "application/json" }
}
)
}
async function catchAll(req: Request) {
console.warn("catchAll", req.method, req.url)
console.warn(req.headers)
return new Response("Not Found", { status: 404 })
}
console.log(`Server running at ${BASE_URL}`)
serve({
port: PORT,
routes: {
"/openapi/mcp": protectedHandler,
"/mcp/oauth-protected-resource": oauthProtectedResource,
"/.well-known/oauth-authorization-server/:issuer": oauthAuthorizationServer,
"/mcp/register": oauthRegister,
"/*": catchAll
}
})
Expected Behavior
Cursor should request the server metadata with ending path
Operating System
MacOS
Current Cursor Version (Menu → About Cursor → Copy)
Version: 1.2.2
Commit: faa03b17cce93e8a80b7d62d57f5eda6bb6ab9f0
Date: 2025-07-07T06:07:27.002Z
Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Cursor/1.2.2 Chrome/132.0.6834.210 Electron/34.5.1 Safari/537.36
Does this stop you from using Cursor
Sometimes - I can sometimes use Cursor