feat: enhance auth server discovery with OAuth2 and OIDC metadata support

[xiaoyijun]

Add OpenID Connect Discovery Support for Authorization Server Discovery

Motivation and Context

This PR enhances the authorization server discovery mechanism by adding support for OpenID Connect Discovery 1.0 alongside the existing OAuth 2.0 Authorization Server Metadata.

OpenID Connect (OIDC) is built on top of OAuth 2.0, extending it with standardized identity functionality. Many modern authorization servers implement OIDC as their primary protocol, making it crucial for MCP to support both discovery mechanisms. Popular authorization providers such as Keycloak, Auth0, and Logto all implement OIDC discovery by default.

Key benefits:

• Better compatibility with OIDC-based authorization servers
• Maintains full OAuth 2.0 compatibility since OIDC is an extension of OAuth 2.0
• Enables seamless integration with popular identity providers
• No breaking changes to existing OAuth 2.0 implementations

How Has This Been Tested?

N/A

Breaking Changes

None. This change is fully backwards compatible:

• Existing OAuth 2.0 metadata discovery continues to work as before
• Authorization servers can choose which discovery mechanism to implement
• MCP clients must support both mechanisms but will automatically use the correct one

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

The addition of OIDC discovery support is particularly valuable because:

1. OIDC is the de-facto standard for modern identity providers
2. The .well-known/openid-configuration endpoint is widely supported
3. OIDC providers automatically support OAuth 2.0 flows since OIDC is built on top of OAuth 2.0
4. This enables MCP to work seamlessly with popular authorization servers like Keycloak, Auth0, and Logto without additional configuration

[xiaoyijun]

Hi @aaronpk , thanks again for your earlier review 🙏. I’ve addressed the changes you requested, would you have a moment to take another look?

[pcarleton]

LGTM

we'll also need support for this in the SDKs

[xiaoyijun]

Hi @pcarleton , I add this support in the client SDK in this PR, PTAL ❤️

[dsp-ant]

this is missing an entry to changelog.mdx. @xiaoyijun please follow up and make an entry to changelog.mdx

[xiaoyijun]

@dsp-ant Apologies for the oversight, and thank you for pointing it out. The changelog entry has been added, and the PR is now ready: #779

[dsp-ant]

Just FYI. I will revert this. I think in general its a good idea, but coming in too hot for a spec release that we are cutting today from the draft. This means it will require you to reopen the PR again once we have a new draft.

There are also open question how clients should handle the difference in fields between OICD and OAuth 2.0 AS metadata, that the PR should address.