Support for Auth0

[btiernay]

👋 Hi there. First off, thank you for the work on mcp-auth. It’s a well-designed project and I really appreciate the vendor neutral approach to securing MCP servers.

I'm working on integrating MCP Auth with Auth0 (I work there) and was hoping to contribute support to the provider list. While testing, I ran into a couple of issues that I believe may impact other spec-compliant providers as well:

• Validation for grant_types_supported Deviates from OIDC Discovery 1.0 Defaults js#27 describes a case where grant_types_supported is treated as mandatory, even though the OIDC Discovery spec states that if it is omitted, the default should include authorization_code.
• Validation for client_id Should Include azp for Industry Compatibility js#28 shows that token verification expects a non-standard client_id field in the JWT payload, but several key IdPs like Google, Microsoft, and Auth0 use azp as the claim for identifying the authorized party.

These seem to come down to strict interpretations that deviate slightly from the spec. I'm currently testing with the JavaScript SDK, but the same issues might also exist in the Python version.

Would love to get your thoughts on whether aligning with the spec here feels like the right direction. I’d be happy to help review or contribute fixes if it helps improve support for compliant providers like Auth0.

Thanks again. This is a really exciting project! 🙇

[gao-sun]

hi @btiernay thank you for pointing out the issues! we're taking a look.

[btiernay]

Now that the linked tickets are closed, adding to provider list in #37. Thanks for all your help!