OAuth authentication fails: Protected resource origin does not match exact connection URL path #20017
Description
What happened?
When attempting to authenticate with a custom MCP server (Swifteq Zendesk) that uses OAuth, the CLI blocks the authentication because the server's protected resource identifier (the origin) does not exactly match the httpUrl (which includes the SSE endpoint path).
Steps to Reproduce:
Configure settings.json with an MCP server that has a path in the URL:
{
"security": {
"auth": {
"selectedType": "oauth-personal"
}
},
"mcpServers": {
"zendesk": {
"httpUrl": "https://mcp.swifteq.com/api/mcp/sse"
}
}
}Run /mcp auth zendesk
What did you expect to happen?
Expected Behavior:
The CLI should successfully authenticate. The OAuth resource validation should either accept an origin-level match (https://mcp.swifteq.com matching the base of https://mcp.swifteq.com/api/mcp/sse), or the settings.json schema should allow an override key like resource or expectedResource in the server block.
Actual Behavior:
The authentication fails with the following strict matching error:
✕ Failed to authenticate with MCP server 'zendesk': Protected resource https://mcp.swifteq.com does not match expected https://mcp.swifteq.com/api/mcp/sse
Client information
Client Information
Run gemini to enter the interactive CLI, then run the /about command.
> /about
About Gemini CLI
│ CLI Version 0.29.5
│ Git Commit 2ef872e73
│ Model Auto (Gemini 2.5)
│ Sandbox no sandbox
│ OS darwin
│ Auth Method Logged in with Google ([email protected])
│ Tier Gemini Code Assist
│ GCP Project my-company-gcp-projectLogin information
Google account
Anything else we need to know?
No response