paulononato/backstage
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix: OAuth 2.0 Protected Resource Metadata returning local endpoint (fix #33062) (#33092)

Browse Source 
* fix: OAuth 2.0 Protected Resource Metadata returning local endpoint (fix #33062)

Signed-off-by: Gabriel Dugny <gabriel.dugny@believe.com>

* chore: add basic regression test

Signed-off-by: Gabriel Dugny <gabriel.dugny@believe.com>

---------

Signed-off-by: Gabriel Dugny <gabriel.dugny@believe.com>
This commit is contained in:
Gabriel Dugny
2026-04-06 19:04:12 +02:00
committed by GitHub
parent dd48192606
commit 282c11475f
3 changed files with 18 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.changeset/brave-suits-pay.md
+5
View File
@@ -0,0 +1,5 @@
---
'@backstage/plugin-mcp-actions-backend': patch
---
Fix OAuth 2.0 Protected Resource Metadata endpoint returning internal plugin URL, preventing some MCP clients like Claude Code from authenticating
plugins/mcp-actions-backend/src/plugin.test.ts
+11
View File
@@ -307,10 +307,17 @@ describe('Mcp Backend', () => {
});
it('should expose oauth-protected-resource when DCR is enabled', async () => {
const mockExternalBaseUrl = 'http://external.local:0/api';
const mockDiscovery = mockServices.discovery.mock({
getExternalBaseUrl: async pluginId =>
`${mockExternalBaseUrl}/${pluginId}`,
});
const { server } = await startTestBackend({
features: [
mcpPlugin,
mockPluginWithActions,
mockDiscovery.factory,
mockServices.rootConfig.factory({
data: {
backend: {
@@ -335,6 +342,10 @@ describe('Mcp Backend', () => {
expect(response.body.resource).toMatch(/\/api\/mcp-actions$/);
expect(response.body.authorization_servers).toHaveLength(1);
expect(response.body.authorization_servers[0]).toMatch(/\/api\/auth$/);
expect(response.body.resource).toContain(`${mockExternalBaseUrl}`);
expect(response.body.authorization_servers[0]).toContain(
`${mockExternalBaseUrl}/`,
);
});
it('should expose oauth-protected-resource when CIMD is enabled', async () => {
plugins/mcp-actions-backend/src/plugin.ts
+2 -2
View File
@@ -144,8 +144,8 @@ export const mcpPlugin = createBackendPlugin({
'/.well-known/oauth-protected-resource',
async (_, res) => {
const [authBaseUrl, mcpBaseUrl] = await Promise.all([
discovery.getBaseUrl('auth'),
discovery.getBaseUrl('mcp-actions'),
discovery.getExternalBaseUrl('auth'),
discovery.getExternalBaseUrl('mcp-actions'),
]);
res.json({
resource: mcpBaseUrl,