feat(oauth): standardize scopes and add RFC 8414 metadata endpoint

- Remove custom taskflow:read/write scopes, use standard OIDC scopes only
- Add /.well-known/oauth-authorization-server route for MCP client discovery
- Add taskflow MCP server config to .mcp.json
- Aligns with Better Auth which doesn't support custom scopes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: mjunaidca

.mcp.json

@@ -1,5 +1,9 @@
 {
   "mcpServers": {
+    "taskflow": {
+      "type": "http",
+      "url": "http://0.0.0.0:8001/mcp"
+    },
     "context7": {
       "type": "stdio",
       "command": "npx",

packages/mcp-server/src/taskflow_mcp/server.py

@@ -109,12 +109,11 @@ async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
                 "token_endpoint": f"{config.sso_url}/api/auth/oauth2/token",
                 "device_authorization_endpoint": f"{config.sso_url}/api/auth/device/code",
                 "jwks_uri": f"{config.sso_url}/api/auth/jwks",
+                # Only standard OIDC scopes - Better Auth doesn't support custom scopes
                 "scopes_supported": [
                     "openid",
                     "profile",
                     "email",
-                    "taskflow:read",
-                    "taskflow:write",
                 ],
                 "response_types_supported": ["code"],
                 "grant_types_supported": [
@@ -135,11 +134,11 @@ async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
             response = JSONResponse({
                 "resource": f"http://{config.mcp_host}:{config.mcp_port}/mcp",
                 "authorization_servers": [config.sso_url],
+                # Only standard OIDC scopes
                 "scopes_supported": [
                     "openid",
-                    "profile", 
-                    "taskflow:read",
-                    "taskflow:write",
+                    "profile",
+                    "email",
                 ],
                 "bearer_methods_supported": ["header"],
                 "resource_documentation": "https://github.com/mjunaidca/taskforce",

sso-platform/src/app/.well-known/oauth-authorization-server/route.ts

@@ -0,0 +1,53 @@
+/**
+ * OAuth 2.0 Authorization Server Metadata (RFC 8414)
+ *
+ * This endpoint provides OAuth AS metadata for MCP clients (Claude Code, Gemini CLI, etc.)
+ * that use RFC 8414 discovery instead of OIDC Discovery.
+ *
+ * MCP Auth flow:
+ * 1. Client fetches /.well-known/oauth-protected-resource from MCP server
+ * 2. Client gets authorization_servers list pointing to this SSO
+ * 3. Client fetches this endpoint to get OAuth endpoints
+ * 4. Client performs OAuth flow
+ */
+
+import { NextResponse } from "next/server";
+
+const BASE_URL = process.env.BETTER_AUTH_URL || "http://localhost:3001";
+
+export async function GET() {
+  // Return OAuth AS metadata (RFC 8414)
+  // This mirrors the OIDC Discovery document but in OAuth AS format
+  return NextResponse.json({
+    // Required fields
+    issuer: BASE_URL,
+    authorization_endpoint: `${BASE_URL}/api/auth/oauth2/authorize`,
+    token_endpoint: `${BASE_URL}/api/auth/oauth2/token`,
+
+    // Optional but recommended
+    jwks_uri: `${BASE_URL}/api/auth/jwks`,
+    registration_endpoint: `${BASE_URL}/api/auth/oauth2/register`,
+    scopes_supported: ["openid", "profile", "email", "offline_access"],
+    response_types_supported: ["code"],
+    response_modes_supported: ["query"],
+    grant_types_supported: [
+      "authorization_code",
+      "refresh_token",
+      "urn:ietf:params:oauth:grant-type:device_code",
+    ],
+    token_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post", "none"],
+    code_challenge_methods_supported: ["S256"],
+
+    // Device authorization (RFC 8628)
+    device_authorization_endpoint: `${BASE_URL}/api/auth/device/code`,
+
+    // Userinfo endpoint
+    userinfo_endpoint: `${BASE_URL}/api/auth/oauth2/userinfo`,
+
+    // Revocation endpoint (if supported)
+    revocation_endpoint: `${BASE_URL}/api/auth/oauth2/revoke`,
+
+    // End session endpoint (OIDC logout)
+    end_session_endpoint: `${BASE_URL}/api/auth/oauth2/endsession`,
+  });
+}