fix(mcp): handle equivalent root resource URLs in OAuth validation (#20231)

packages/core/src/mcp/oauth-utils.ts

@@ -257,7 +257,12 @@ export class OAuthUtils {
         // it is using as the prefix for the metadata request exactly matches the value
         // of the resource metadata parameter in the protected resource metadata document.
         const expectedResource = this.buildResourceParameter(serverUrl);
-        if (resourceMetadata.resource !== expectedResource) {
+        if (
+          !this.isEquivalentResourceIdentifier(
+            resourceMetadata.resource,
+            expectedResource,
+          )
+        ) {
           throw new ResourceMismatchError(
             `Protected resource ${resourceMetadata.resource} does not match expected ${expectedResource}`,
           );
@@ -348,7 +353,12 @@ export class OAuthUtils {
     if (resourceMetadata && mcpServerUrl) {
       // Validate resource parameter per RFC 9728 Section 7.3
       const expectedResource = this.buildResourceParameter(mcpServerUrl);
-      if (resourceMetadata.resource !== expectedResource) {
+      if (
+        !this.isEquivalentResourceIdentifier(
+          resourceMetadata.resource,
+          expectedResource,
+        )
+      ) {
         throw new ResourceMismatchError(
           `Protected resource ${resourceMetadata.resource} does not match expected ${expectedResource}`,
         );
@@ -402,6 +412,21 @@ export class OAuthUtils {
     return `${url.protocol}//${url.host}${url.pathname}`;
   }
 
+  private static isEquivalentResourceIdentifier(
+    discoveredResource: string,
+    expectedResource: string,
+  ): boolean {
+    const normalize = (resource: string): string => {
+      try {
+        return this.buildResourceParameter(resource);
+      } catch {
+        return resource;
+      }
+    };
+
+    return normalize(discoveredResource) === normalize(expectedResource);
+  }
+
   /**
    * Parses a JWT string to extract its expiry time.
    * @param idToken The JWT ID token.