From f657ead4722cfb419d857965a59bd52164c9c99a Mon Sep 17 00:00:00 2001
From: Xiao Yijun <xiaoyijun@silverhand.io>
Date: Mon, 4 Aug 2025 22:43:09 +0800
Subject: [PATCH 1/2] fix: retry next endpoint on CORS error during auth server
 discovery (#827)

---
 src/client/auth.test.ts | 12 ++++++++++++
 src/client/auth.ts      |  6 +++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
index c3049124e..fb9b31006 100644
--- a/src/client/auth.test.ts
+++ b/src/client/auth.test.ts
@@ -899,6 +899,18 @@ describe("OAuth Authorization", () => {
         "MCP-Protocol-Version": "2025-01-01"
       });
     });
+
+    it("returns undefined when all URLs fail with CORS errors", async () => {
+      // All fetch attempts fail with CORS errors (TypeError)
+      mockFetch.mockImplementation(() => Promise.reject(new TypeError("CORS error")));
+
+      const metadata = await discoverAuthorizationServerMetadata("https://auth.example.com/tenant1");
+
+      expect(metadata).toBeUndefined();
+      
+      // Verify that all discovery URLs were attempted
+      expect(mockFetch).toHaveBeenCalledTimes(8); // 4 URLs × 2 attempts each (with and without headers)
+    });
   });
 
   describe("startAuthorization", () => {
diff --git a/src/client/auth.ts b/src/client/auth.ts
index 56826045a..ab8aff0c7 100644
--- a/src/client/auth.ts
+++ b/src/client/auth.ts
@@ -758,7 +758,11 @@ export async function discoverAuthorizationServerMetadata(
     const response = await fetchWithCorsRetry(endpointUrl, headers, fetchFn);
 
     if (!response) {
-      throw new Error(`CORS error trying to load ${type === 'oauth' ? 'OAuth' : 'OpenID provider'} metadata from ${endpointUrl}`);
+      /**
+       * CORS error occurred - don't throw as the endpoint may not allow CORS,
+       * continue trying other possible endpoints
+       */
+      continue;
     }
 
     if (!response.ok) {

From a1608a6513d18eb965266286904760f830de96fe Mon Sep 17 00:00:00 2001
From: Inna Harper <inna.hrpr@gmail.com>
Date: Thu, 7 Aug 2025 21:28:37 +0100
Subject: [PATCH 2/2] 1.17.2 (#855)

---
 package-lock.json | 4 ++--
 package.json      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index dd45ff05d..2fdf89b2e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.17.1",
+  "version": "1.17.2",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@modelcontextprotocol/sdk",
-      "version": "1.17.1",
+      "version": "1.17.2",
       "license": "MIT",
       "dependencies": {
         "ajv": "^6.12.6",
diff --git a/package.json b/package.json
index 7bbb0f173..2f5a030bb 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.17.1",
+  "version": "1.17.2",
   "description": "Model Context Protocol implementation for TypeScript",
   "license": "MIT",
   "author": "Anthropic, PBC (https://anthropic.com)",