add 3rd variation of metadata

Author: pcarleton

examples/clients/typescript/helpers/withOAuthRetry.ts

@@ -14,7 +14,6 @@ export const handle401 = async (
   serverUrl: string | URL
 ): Promise<void> => {
   const resourceMetadataUrl = extractResourceMetadataUrl(response);
-
   let result = await auth(provider, {
     serverUrl,
     resourceMetadataUrl,

src/scenarios/client/auth/basic-metadata.ts

@@ -26,12 +26,6 @@ export class AuthBasicMetadataVar1Scenario implements Scenario {
       this.server.getUrl,
       this.authServer.getUrl,
       {
-        // TODO: this will put this path in the WWW-Authenticate header
-        // but RFC 9728 states that in that case, the resource in the PRM
-        // must match the URL used to make the request to the resource server.
-        // We'll need to establish an opinion on whether that means the
-        // URL for the metadata fetch, or the URL for the MCP endpoint,
-        // or more generally what are the valid scenarios / combos.
         prmPath: '/.well-known/oauth-protected-resource'
       }
     );
@@ -172,11 +166,14 @@ export class AuthBasicMetadataVar3Scenario implements Scenario {
     const app = createServer(
       this.checks,
       this.server.getUrl,
-      this.authServer.getUrl,
+      () => {
+        return `${this.authServer.getUrl()}/tenant1`;
+      },
       {
         // This is a custom path, so unable to get via probing, it's only available
         // via following the `resource_metadata_url` in the WWW-Authenticate header.
-        prmPath: '/.well-known/oauth-protected-resource'
+        // The resource must match the original request URL per RFC 9728.
+        prmPath: '/custom/metadata/location.json'
       }
     );
     await this.server.start(app);

src/scenarios/client/auth/helpers/createServer.ts

@@ -67,8 +67,15 @@ export function createServer(
         }
       });
 
+      // Resource is usually $baseUrl/mcp, but if PRM is at the root,
+      // the resource identifier is the root.
+      const resource =
+        prmPath === '/.well-known/oauth-protected-resource'
+          ? getBaseUrl()
+          : `${getBaseUrl()}/mcp`;
+
       res.json({
-        resource: getBaseUrl(),
+        resource,
         authorization_servers: [getAuthServerUrl()]
       });
     });

src/scenarios/client/auth/index.test.ts

@@ -1,26 +1,21 @@
+import { authScenariosList } from './index.js';
 import {
   runClientAgainstScenario,
   SpawnedClientRunner
 } from './test_helpers/testClient.js';
 import path from 'path';
-import { listScenarios } from '../../index.js';
 
 describe('Client Auth Scenarios', () => {
   const clientPath = path.join(
     process.cwd(),
     'examples/clients/typescript/auth-test.ts'
   );
 
-  // Get all scenarios that start with 'auth/'
-  const authScenarios = listScenarios().filter((name) =>
-    name.startsWith('auth/')
-  );
-
   // Generate individual test for each auth scenario
-  for (const scenarioName of authScenarios) {
-    test(`${scenarioName} passes`, async () => {
+  for (const scenario of authScenariosList) {
+    test(`${scenario.name} passes`, async () => {
       const runner = new SpawnedClientRunner(clientPath);
-      await runClientAgainstScenario(runner, scenarioName);
+      await runClientAgainstScenario(runner, scenario.name);
     });
   }
 });