mathias/gitea-mcp
1
0
Fork 0
Code Issues 6 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: add OAuth discovery endpoints for claude.ai handshake #3

Merged
mathias merged 1 commits from fix/oauth-discovery-endpoints into main 2026-05-06 15:20:58 +00:00
Conversation 0 Commits 1 Files Changed 3 +24
mathias commented 2026-05-06 15:20:20 +00:00
Owner
Copy Link

Fixes #2.

What

claude.ai makes two discovery requests before the MCP handshake. Both were returning 404, causing "Couldn't reach the MCP server."

Changes

  • GET /.well-known/oauth-protected-resource → 200 {"authorization_servers":[]} — signals no OAuth required (RFC 9728)
  • GET /.well-known/oauth-authorization-server → 404 — explicit, no auth server present
  • HEAD /mcp → 200 + MCP-Protocol-Version: 2025-06-18 header

No new dependencies. Test added for the HEAD handler.

Acceptance criteria

  • GET /.well-known/oauth-protected-resource returns 200 with valid JSON
  • HEAD /mcp returns 200 with MCP-Protocol-Version: 2025-06-18
  • All existing tests pass
Fixes #2. ## What claude.ai makes two discovery requests before the MCP handshake. Both were returning 404, causing "Couldn't reach the MCP server." ## Changes - `GET /.well-known/oauth-protected-resource` → 200 `{"authorization_servers":[]}` — signals no OAuth required (RFC 9728) - `GET /.well-known/oauth-authorization-server` → 404 — explicit, no auth server present - `HEAD /mcp` → 200 + `MCP-Protocol-Version: 2025-06-18` header No new dependencies. Test added for the HEAD handler. ## Acceptance criteria - [x] `GET /.well-known/oauth-protected-resource` returns 200 with valid JSON - [x] `HEAD /mcp` returns 200 with `MCP-Protocol-Version: 2025-06-18` - [x] All existing tests pass
mathias added 1 commit 2026-05-06 15:20:20 +00:00
fix: add OAuth discovery endpoints for claude.ai handshake
All checks were successful
CD / Lint / Test / Vet (pull_request) Successful in 5s
Details
CD / Build & Import (pull_request) Has been skipped
Details
CD / Deploy via GitOps (pull_request) Has been skipped
Details
9cbb564cd9 
Implements RFC 9728 protected resource metadata and HEAD probe so
claude.ai can complete its pre-handshake discovery without hitting 404.

- GET /.well-known/oauth-protected-resource → 200 {"authorization_servers":[]}
- GET /.well-known/oauth-authorization-server → 404 (no auth server)
- HEAD /mcp → 200 + MCP-Protocol-Version: 2025-06-18 header

Closes #2

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
mathias merged commit 4f0f65e26a into main 2026-05-06 15:20:58 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
mathias
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: mathias/gitea-mcp#3
Delete Branch "fix/oauth-discovery-endpoints"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?