Auth server metadata fallbacks abort on non-404 failures

**Describe the bug**
During auth server metadata discovery, the client SDK attempts to query the supported metadata endpoints sequentially. However, it only falls back from one to another on 404 responses ([source](https://github.com/modelcontextprotocol/typescript-sdk/blob/8e15edca0af05e7eaeb38e0880669a16f749e0f5/src/client/auth.ts#L556)). This is [stricter](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization#sequence-diagram) than the specification requires, and happens to break compatibility with Cognito, which returns a 400 at any endpoints it doesn't support ([example](https://cognito-idp.us-west-2.amazonaws.com/us-west-2_kFDPOwXJE/.well-known/oauth-authorization-server)).

**To Reproduce**
Steps to reproduce the behavior:
1. Update the `simpleOAuthClient.ts` example to point to an AS that returns 400s on the initial metadata endpoint.
2. Update the `simpleStreamableHttp.ts` example to use that AS in its protected resource metadata.
3. Run the server and client, and observe the following error: `Failed to start client: Error: HTTP 400 trying to load well-known OAuth metadata`.

**Expected behavior**
Client falls back on any 4XX status. Arguably, it should fall back on 5XX responses as well, but I'm limiting this to 4XX responses to avoid the possibility of a load-sensitive 5XX on the AS being multiplied in scale by fallback behaviors.

**Logs**

**Additional context**



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Auth server metadata fallbacks abort on non-404 failures #804

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Auth server metadata fallbacks abort on non-404 failures #804

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions