[scenario] authz metadata discovery tests: compatibility with 2025-03-26 spec, prm root, and www-authenticate (#28)

* clean up constructor calls for server lifecycle

* add back compat test

* fix dup logging, rm prm

* avoid fallbacks

* better error from example client

* add final endpoint method

* add test for OASM priority order

* s/prepack/prepare/ for npx

* try switching to .js

* make tsdown version happy default

* fix lock

* fix prmPath issue

* back to main package-lock

* fix bin path

* Add comprehensive auth scenario test suite

- Add index.test.ts to test all auth scenarios with auth-test.ts client
- Upgrade @modelcontextprotocol/sdk from 1.20.1 to 1.22.0
- All 5 auth scenarios now pass including auth/basic-metadata-var2

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* consolidate tests into index.test.ts

* rename metadata

* fix comments

* rework auth scenario listing

* add 3rd variation of metadata

* fix some type issues introduced by version bump

* add reusable spec references

* more refs

* fix up spec references

---------

Co-authored-by: Claude <[email protected]>

Author: pcarleton

examples/clients/typescript/helpers/ConformanceOAuthProvider.ts

@@ -67,7 +67,9 @@ export class ConformanceOAuthProvider implements OAuthClientProvider {
           throw new Error('No auth code in redirect URL');
         }
       } else {
-        throw new Error('No redirect location received');
+        throw new Error(
+          `No redirect location received, from '${authorizationUrl.toString()}'`
+        );
       }
     } catch (error) {
       console.error('Failed to fetch authorization URL:', error);

examples/clients/typescript/helpers/withOAuthRetry.ts

@@ -14,7 +14,6 @@ export const handle401 = async (
   serverUrl: string | URL
 ): Promise<void> => {
   const resourceMetadataUrl = extractResourceMetadataUrl(response);
-
   let result = await auth(provider, {
     serverUrl,
     resourceMetadataUrl,

package-lock.json

@@ -26,7 +26,7 @@
     "dist"
   ],
   "bin": {
-    "conformance": "dist/index.mjs"
+    "conformance": "dist/index.js"
   },
   "devDependencies": {
     "@eslint/js": "^9.8.0",
@@ -43,7 +43,7 @@
     "vitest": "^4.0.5"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.20.1",
+    "@modelcontextprotocol/sdk": "^1.22.0",
     "commander": "^14.0.2",
     "express": "^5.1.0",
     "lefthook": "^2.0.2",

package.json

@@ -4,27 +4,26 @@ import { createAuthServer } from './helpers/createAuthServer.js';
 import { createServer } from './helpers/createServer.js';
 import { ServerLifecycle } from './helpers/serverLifecycle.js';
 import { Request, Response } from 'express';
+import { SpecReferences } from './spec-references.js';
 
 export class AuthBasicDCRScenario implements Scenario {
   name = 'auth/basic-dcr';
   description =
     'Tests Basic OAuth flow with DCR, PRM at path-based location, OAuth metadata at root location, and no scopes required';
-  private authServer = new ServerLifecycle(() => this.authBaseUrl);
-  private server = new ServerLifecycle(() => this.baseUrl);
+  private authServer = new ServerLifecycle();
+  private server = new ServerLifecycle();
   private checks: ConformanceCheck[] = [];
-  private baseUrl: string = '';
-  private authBaseUrl: string = '';
 
   async start(): Promise<ScenarioUrls> {
     this.checks = [];
 
-    const authApp = createAuthServer(this.checks, () => this.authBaseUrl);
-    this.authBaseUrl = await this.authServer.start(authApp);
+    const authApp = createAuthServer(this.checks, this.authServer.getUrl);
+    await this.authServer.start(authApp);
 
     const app = createServer(
       this.checks,
-      () => this.baseUrl,
-      () => this.authBaseUrl
+      this.server.getUrl,
+      this.authServer.getUrl
     );
 
     // For this scenario, reject PRM requests at root location since we have the path-based PRM.
@@ -39,10 +38,8 @@ export class AuthBasicDCRScenario implements Scenario {
           status: 'FAILURE',
           timestamp: new Date().toISOString(),
           specReferences: [
-            {
-              id: 'mcp-authorization-prm',
-              url: 'https://modelcontextprotocol.io/specification/draft/basic/authorization#protected-resource-metadata-discovery-requirements'
-            }
+            SpecReferences.RFC_PRM_DISCOVERY,
+            SpecReferences.MCP_PRM_DISCOVERY
           ],
           details: {
             url: req.url,
@@ -58,9 +55,9 @@ export class AuthBasicDCRScenario implements Scenario {
       }
     );
 
-    this.baseUrl = await this.server.start(app);
+    await this.server.start(app);
 
-    return { serverUrl: `${this.baseUrl}/mcp` };
+    return { serverUrl: `${this.server.getUrl()}/mcp` };
   }
 
   async stop() {