Support falling back to OIDC metadata for auth

[LucaButBoring]

Implements basic OIDC support for working with authorization servers that don't expose OAuth metadata, following the semantics described in RFC 8414 Section 5.

As part of this change, I modified the internal fallback behavior from a simple boolean flag to instead represent discovery as a stack of methods, which are consumed sequentially until one fallback method succeeds. This also helps clean up the duplicated code from working with AsyncGenerator.

Motivation and Context

Enables falling back to OIDC 1.0 metadata when a server does not support OAuth metadata according to RFC 8414.

How Has This Been Tested?

Added/updated unit tests.

Breaking Changes

None

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

#976

[ihrpr]

Thank you! Sorry, we had back and forth with this spec changes. For now it's on hold until modelcontextprotocol/modelcontextprotocol#797 is merged

[dsp-ant]

I'll add a claude generated review in addition, since I reviewed it and found it quite useful.

[dsp-ant]

Here is Claude's take, which in this instance, I found helpful:

Thank you for implementing RFC 9728 support with OIDC fallback functionality. While the implementation works, I have concerns about the complexity of the approach, particularly around the callback-based discovery stack pattern.

Main Concerns

1. Over-engineered Discovery Stack Pattern

The current implementation uses a callback-based stack with function references:

OAuthDiscoveryStack = list[Callable[[], Awaitable[httpx.Request]]]

This pattern, combined with stack reversal and while-loop popping, adds unnecessary complexity:

• The callbacks don't encapsulate varying behavior - they just generate URLs
• The stack reversal (discovery_attempts.reverse()) followed by pop() is non-idiomatic
• while len(oauth_discovery_stack) > 0: should be while oauth_discovery_stack:

2. Scattered URL Building Logic

The implementation has four separate methods for URL construction:

• _build_well_known_path()
• _build_well_known_fallback_url()
• _build_oidc_fallback_path()
• _build_oidc_fallback_url()

This fragmentation makes it harder to understand the discovery order and URL patterns.

3. Unnecessary State Management

The code stores intermediate state as instance variables:

self.context.discovery_base_url = base_url
self.context.discovery_pathname = parsed.path

These are only used for fallback logic and could be handled more cleanly.

Suggested Simplification

Replace the callback stack with a straightforward URL list approach:

def _get_discovery_urls(self) -> list[tuple[str, str]]:
    """Generate ordered list of (url, type) tuples for discovery attempts."""
    urls = []
    auth_server_url = self.context.auth_server_url or self.context.server_url
    parsed = urlparse(auth_server_url)
    base_url = f"{parsed.scheme}://{parsed.netloc}"
    
    # RFC 8414: Path-aware OAuth discovery
    if parsed.path and parsed.path != "/":
        oauth_path = f"/.well-known/oauth-authorization-server{parsed.path.rstrip('/')}"
        urls.append((urljoin(base_url, oauth_path), "oauth"))
    
    # OAuth root fallback
    urls.append((urljoin(base_url, "/.well-known/oauth-authorization-server"), "oauth"))
    
    # RFC 8414 section 5: Path-aware OIDC discovery  
    if parsed.path and parsed.path != "/":
        oidc_path = f"/.well-known/openid-configuration{parsed.path.rstrip('/')}"
        urls.append((urljoin(base_url, oidc_path), "oidc"))
    
    # OIDC 1.0 fallback (appends to full URL per spec)
    oidc_fallback = urljoin(auth_server_url.rstrip("/"), "/.well-known/openid-configuration")
    urls.append((oidc_fallback, "oidc"))
    
    return urls

Then in async_auth_flow():

# Step 2: Discover OAuth metadata (with fallback for legacy servers)
discovery_urls = self._get_discovery_urls()
for url, discovery_type in discovery_urls:
    request = httpx.Request("GET", url, headers={MCP_PROTOCOL_VERSION: LATEST_PROTOCOL_VERSION})
    response = yield request
    
    if response.status_code == 200:
        try:
            content = await response.aread()
            metadata = OAuthMetadata.model_validate_json(content)
            self.context.oauth_metadata = metadata
            # Apply default scope if needed
            if self.context.client_metadata.scope is None and metadata.scopes_supported is not None:
                self.context.client_metadata.scope = " ".join(metadata.scopes_supported)
            break
        except ValidationError:
            continue
    elif response.status_code != 404:
        break  # Non-404 error, stop trying

Benefits of This Approach

1. Explicit discovery order: All URLs are visible in one place
2. No callbacks: Direct, simple URL generation
3. Pythonic iteration: Standard for-loop instead of while/pop
4. Less state: No instance variables for intermediate values
5. Easier testing: URL generation can be unit tested separately
6. Clearer intent: The fallback chain is immediately apparent

Minor Issues

• Line 295: Use return response_status == 404 and discovery_stack instead of len(discovery_stack) > 0
• The comment on line 577-578 about declaring the stack backwards is a code smell

Overall

The implementation is functionally correct and follows the RFCs properly. My suggestions are about reducing complexity and making the code more Pythonic. The callback pattern might make sense in other contexts, but here it adds unnecessary abstraction for what is essentially "try these URLs in order until one works."

Would you consider simplifying the approach? Happy to discuss further or help with the refactoring.

[dsp-ant]

@ihrpr how do you want to sequence this? My suggestion is waiting for this PR to be in an acceptable state, then merge the spec change and the python sdk pr at the same time.

[LucaButBoring]

Will make the changes by EOD tomorrow (juggling other things as well) - I agree with what you called out in general.

---

For context, the reason I did it like this originally was because the entire OAuth flow was duplicated in the async_auth_flow function due to generator syntax limitations, so I was attempting to avoid explicitly writing the entire fallback sequence twice. #1071 was merged earlier today which was able to remove the duplicated OAuth flow, so the discovery stack thing doesn't make sense anymore.

[ihrpr]

@ihrpr how do you want to sequence this? My suggestion is waiting for this PR to be in an acceptable state, then merge the spec change and the python sdk pr at the same time.

yes, that works, adding tracking for this as well

[dsp-ant]

LGTM