clean up unused param

Author: pcarleton

src/client/auth.test.ts

@@ -776,6 +776,22 @@ describe("OAuth Authorization", () => {
             "https://auth.example.com/.well-known/openid-configuration/tenant1",
             "https://auth.example.com/tenant1/.well-known/openid-configuration"
           ]
+        },
+        {
+          description: "with path - all fails, returns undefined",
+          serverUrl: "https://auth.example.com/tenant1",
+          responses: [
+            { success: false, status: 404 }, // OAuth path
+            { success: false, status: 404 }, // OAuth root
+            { success: false, status: 404 }, // OIDC path insertion
+            { success: false, status: 404 }, // OIDC path appending
+          ],
+          expectedPaths: [
+            "https://auth.example.com/.well-known/oauth-authorization-server/tenant1",
+            "https://auth.example.com/.well-known/oauth-authorization-server",
+            "https://auth.example.com/.well-known/openid-configuration/tenant1",
+            "https://auth.example.com/tenant1/.well-known/openid-configuration"
+          ]
         }
       ];
 
@@ -798,7 +814,6 @@ describe("OAuth Authorization", () => {
           });
 
           const metadata = await discoverAuthorizationServerMetadata(
-            "https://mcp.example.com",
             serverUrl
           );
 
@@ -843,45 +858,11 @@ describe("OAuth Authorization", () => {
 
       await expect(
         discoverAuthorizationServerMetadata(
-          "https://mcp.example.com",
           "https://auth.example.com"
         )
       ).rejects.toThrow("does not support S256 code challenge method required by MCP specification");
     });
 
-    it("falls back to legacy MCP server when authorizationServerUrl is undefined", async () => {
-      mockFetch.mockResolvedValueOnce({
-        ok: true,
-        status: 200,
-        json: async () => validOAuthMetadata,
-      });
-
-      const metadata = await discoverAuthorizationServerMetadata(
-        "https://mcp.example.com",
-        undefined
-      );
-
-      expect(metadata).toEqual(validOAuthMetadata);
-      const calls = mockFetch.mock.calls;
-      expect(calls.length).toBe(1);
-      const [url] = calls[0];
-      expect(url.toString()).toBe("https://mcp.example.com/.well-known/oauth-authorization-server");
-    });
-
-    it("returns undefined when legacy MCP server returns 404", async () => {
-      mockFetch.mockResolvedValueOnce({
-        ok: false,
-        status: 404,
-      });
-
-      const metadata = await discoverAuthorizationServerMetadata(
-        "https://mcp.example.com",
-        undefined
-      );
-
-      expect(metadata).toBeUndefined();
-    });
-
     it("throws on non-404 errors in legacy mode", async () => {
       mockFetch.mockResolvedValueOnce({
         ok: false,
@@ -905,7 +886,6 @@ describe("OAuth Authorization", () => {
       });
 
       const metadata = await discoverAuthorizationServerMetadata(
-        "https://mcp.example.com",
         "https://auth.example.com"
       );
 
@@ -928,7 +908,6 @@ describe("OAuth Authorization", () => {
       });
 
       const metadata = await discoverAuthorizationServerMetadata(
-        "https://mcp.example.com",
         "https://auth.example.com",
         { fetchFn: customFetch }
       );
@@ -946,7 +925,6 @@ describe("OAuth Authorization", () => {
       });
 
       const metadata = await discoverAuthorizationServerMetadata(
-        "https://mcp.example.com",
         "https://auth.example.com",
         { protocolVersion: "2025-01-01" }
       );

src/client/auth.ts

@@ -332,12 +332,6 @@ async function authInternal(
     // Ignore errors and fall back to /.well-known/oauth-authorization-server
   }
 
-  const resource: URL | undefined = await selectResourceURL(serverUrl, provider, resourceMetadata);
-
-  const metadata = await discoverAuthorizationServerMetadata(serverUrl, authorizationServerUrl, {
-    fetchFn,
-  });
-
   /**
    * If we don't get a valid authorization server metadata from protected resource metadata,
    * fallback to the legacy MCP spec's implementation (version 2025-03-26): MCP server acts as the Authorization server.
@@ -346,6 +340,12 @@ async function authInternal(
     authorizationServerUrl = serverUrl;
   }
 
+  const resource: URL | undefined = await selectResourceURL(serverUrl, provider, resourceMetadata);
+
+  const metadata = await discoverAuthorizationServerMetadata(authorizationServerUrl, {
+    fetchFn,
+  });
+
   // Handle client registration if needed
   let clientInformation = await Promise.resolve(provider.clientInformation());
   if (!clientInformation) {
@@ -664,24 +664,19 @@ export async function discoverOAuthMetadata(
  * and OpenID Connect Discovery 1.0 specifications.
  *
  * This function implements a fallback strategy for authorization server discovery:
- * 1. If `authorizationServerUrl` is provided, attempts RFC 8414 OAuth metadata discovery first
+ * 1. Attempts RFC 8414 OAuth metadata discovery first
  * 2. If OAuth discovery fails, falls back to OpenID Connect Discovery
- * 3. If `authorizationServerUrl` is not provided, uses legacy MCP specification behavior
  *
- * @param serverUrl - The MCP Server URL, used for legacy specification support where the MCP server
- *                    acts as both the resource server and authorization server
  * @param authorizationServerUrl - The authorization server URL obtained from the MCP Server's
- *                                 protected resource metadata. If this parameter is `undefined`,
- *                                 it indicates that protected resource metadata was not successfully
- *                                 retrieved, triggering legacy fallback behavior
+ *                                 protected resource metadata, or the MCP server's URL if the
+ *                                 metadata was not found.
  * @param options - Configuration options
  * @param options.fetchFn - Optional fetch function for making HTTP requests, defaults to global fetch
  * @param options.protocolVersion - MCP protocol version to use, defaults to LATEST_PROTOCOL_VERSION
  * @returns Promise resolving to authorization server metadata, or undefined if discovery fails
  */
 export async function discoverAuthorizationServerMetadata(
-  serverUrl: string | URL,
-  authorizationServerUrl?: string | URL,
+  authorizationServerUrl: string | URL,
   {
     fetchFn = fetch,
     protocolVersion = LATEST_PROTOCOL_VERSION,
@@ -690,18 +685,10 @@ export async function discoverAuthorizationServerMetadata(
     protocolVersion?: string;
   } = {}
 ): Promise<AuthorizationServerMetadata | undefined> {
-  if (!authorizationServerUrl) {
-    // Legacy support: MCP servers act as the Auth server.
-    return retrieveOAuthMetadataFromMcpServer(serverUrl, {
-      fetchFn,
-      protocolVersion,
-    });
-  }
-
   const url = typeof authorizationServerUrl === 'string' ? new URL(authorizationServerUrl) : authorizationServerUrl;
   const hasPath = url.pathname !== '/';
 
-  const oauthMetadata = await retrieveOAuthMetadataFromAuthorizationServer(authorizationServerUrl, {
+  const oauthMetadata = await fetchOAuthMetadata(authorizationServerUrl, {
     fetchFn,
     protocolVersion,
   });
@@ -712,7 +699,7 @@ export async function discoverAuthorizationServerMetadata(
 
   if (hasPath) {
     const rootUrl = new URL(url.origin);
-    const rootOauthMetadata = await retrieveOAuthMetadataFromAuthorizationServer(rootUrl, {
+    const rootOauthMetadata = await fetchOAuthMetadata(rootUrl, {
       fetchFn,
       protocolVersion,
     });
@@ -730,50 +717,9 @@ export async function discoverAuthorizationServerMetadata(
   return oidcMetadata;
 }
 
-/**
- * Legacy implementation where the MCP server acts as the Auth server.
- * According to MCP spec version 2025-03-26.
- *
- * @param serverUrl - The MCP Server URL
- * @param options - Configuration options
- * @param options.fetchFn - Optional fetch function for making HTTP requests, defaults to global fetch
- * @param options.protocolVersion - MCP protocol version to use (required)
- * @returns Promise resolving to OAuth metadata, or undefined if discovery fails
- */
-async function retrieveOAuthMetadataFromMcpServer(
-  serverUrl: string | URL,
-  {
-    fetchFn = fetch,
-    protocolVersion,
-  }: {
-    fetchFn?: FetchLike;
-    protocolVersion: string;
-  }
-): Promise<OAuthMetadata | undefined> {
-  const serverOrigin = typeof serverUrl === 'string' ? new URL(serverUrl).origin : serverUrl.origin;
-
-  const metadataEndpoint = new URL(buildWellKnownPath('oauth-authorization-server'), serverOrigin);
-
-  const response = await fetchWithCorsRetry(metadataEndpoint, getProtocolVersionHeader(protocolVersion), fetchFn);
-
-  if (!response) {
-    throw new Error(`CORS error trying to load OAuth metadata from ${metadataEndpoint}`);
-  }
-
-  if (!response.ok) {
-    if (response.status === 404) {
-      return undefined;
-    }
-
-    throw new Error(`HTTP ${response.status} trying to load OAuth metadata from ${metadataEndpoint}`);
-  }
-
-  return OAuthMetadataSchema.parse(await response.json());
-}
-
 /**
  * Retrieves RFC 8414 OAuth 2.0 Authorization Server Metadata from the authorization server.
- * 
+ *
  * Per RFC 8414 Section 3.1, when the issuer identifier contains path components,
  * the well-known URI is constructed by inserting "/.well-known/oauth-authorization-server"
  * before the path component.
@@ -784,7 +730,7 @@ async function retrieveOAuthMetadataFromMcpServer(
  * @param options.protocolVersion - MCP protocol version to use (required)
  * @returns Promise resolving to OAuth metadata, or undefined if discovery fails
  */
-async function retrieveOAuthMetadataFromAuthorizationServer(
+async function fetchOAuthMetadata(
   authorizationServerUrl: string | URL,
   {
     fetchFn = fetch,
@@ -821,7 +767,7 @@ async function retrieveOAuthMetadataFromAuthorizationServer(
 
 /**
  * Retrieves OpenID Connect Discovery 1.0 metadata from the authorization server.
- * 
+ *
  * Per RFC 8414 Section 5 compatibility notes and OpenID Connect Discovery 1.0 Section 4.1,
  * when the issuer identifier contains path components, discovery endpoints are tried in order:
  * 1. RFC 8414 style: Insert /.well-known/openid-configuration before the path