Home A - Z
Page Index
Properties 
category: reference
tags: [task, phase-1, mcp, auth, infra]
last_updated: 2026-03-13
confidence: high

P1-9: Fix MCP OAuth Discovery Routing

Problem

Claude.ai cannot connect to the dev.wikibot.io MCP server via OAuth because the /.well-known/oauth-authorization-server discovery endpoint is routed to the Otterwiki Lambda ($default catch-all) instead of the MCP Lambda. It returns an HTML wiki page instead of the OAuth JSON metadata document.

The MCP endpoint itself (POST /mcp) works correctly (returns 405 on GET, as expected).

Root Cause

In Pulumi infra/__main__.py, the API Gateway only routes /mcp and /mcp/{proxy+} to the MCP Lambda. All other paths (including /.well-known/*) fall through to Otterwiki's $default route.

Deliverables

  1. Add API Gateway routes for OAuth discovery endpoints so they reach the MCP Lambda:
    • GET /.well-known/oauth-authorization-server
    • GET /.well-known/openid-configuration (if needed by WorkOS)
    • Any other OAuth endpoints the MCP server handles (e.g., /authorize, /token, /register)
  2. Verify the OAuth flow works end-to-end by testing each endpoint returns valid JSON (not HTML).
  3. Do NOT break existing Otterwiki routes or the /mcp endpoint.

Acceptance Criteria

  • curl https://dev.wikibot.io/.well-known/oauth-authorization-server returns JSON with authorization_endpoint, token_endpoint, etc.
  • curl -X POST https://dev.wikibot.io/mcp still returns 405 (MCP endpoint still works)
  • curl https://dev.wikibot.io/Home still returns the wiki HTML (Otterwiki still works)
  • The full OAuth flow works: Claude.ai can discover endpoints → register client → authorize → get token → call MCP tools

Target

  • Repo: wikibot-io at /Users/sderle/code/otterwiki/wikibot-io/
  • Files: infra/__main__.py (Pulumi API Gateway routes)
  • Branch: Work on main
  • Deploy: bash app/otterwiki/build.sh is NOT needed (no otterwiki code changes). Only bash infra/pulumi.sh up --yes to update API Gateway routes.

Context

  • MCP Lambda handler: app/poc/mcp_package/mcp_server.py
  • MCP Lambda uses Mangum ASGI adapter (unlike Otterwiki which uses apig-wsgi WSGI adapter)
  • WorkOS AuthKit config in Pulumi.dev.yaml: client_id, authkit_domain
  • MCP Lambda env vars set in __main__.py lines ~117-147
  • API Gateway routes for MCP defined in __main__.py lines ~153-185
  • The MCP server uses FastMCP's AuthKitProvider which serves the OAuth discovery and auth endpoints automatically

Notes

  • Need to figure out exactly which paths the MCP server handles for OAuth. Check mcp_server.py and FastMCP docs/source.
  • May need wildcard route /.well-known/{proxy+} or specific routes for each endpoint.
  • Be careful not to route non-OAuth .well-known paths away from Otterwiki (though it likely doesn't use any).
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9