stacklok / toolhive / 19247866688

push

github

Add MCP well-known URI auth discovery per MCP Spec (#2527)

* Add MCP well-known URI auth discovery

Implements RFC 9728 Protected Resource Metadata discovery via
well-known URIs when WWW-Authenticate header is not present.
This completes ToolHive's implementation of the MCP specification
requirement that clients MUST support both discovery mechanisms.

Changes:
- Add tryWellKnownDiscovery() to discover auth via well-known URIs
- Add buildWellKnownURI() to construct RFC 9728 compliant URIs
- Add checkWellKnownURIExists() to validate URI accessibility
- Modify DetectAuthenticationFromServer() for well-known fallback
- Add comprehensive unit tests for all discovery paths
- Add regression tests for empty scope handling contracts

The implementation tries endpoint-specific URIs first, then root-level
URIs per MCP spec priority order. This enables authentication with
MCP-compliant servers that use well-known URIs per RFC 9728 Section 3
but don't send WWW-Authenticate headers.

Test coverage: 75.5% for pkg/auth/discovery

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Jon Christiansen <467023+theJC@users.noreply.github.com>

* Update per MR feedback regarding content-type returned from wellknown endpoint, also dont consider wellknown as existing if we cannot access due to unauthorized/401

* fix golangci-lint identified issues

* Add more tests for coverage

* Update comment to make clearer

* PR PR feedback, defensively control how much response draining we are willing to do

* Update test to be more effecient per PR feedback

---------

Signed-off-by: Jon Christiansen <467023+theJC@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>

78 of 81 new or added lines in 1 file covered. (96.3%)

23239 of 47604 relevant lines covered (48.82%)

35.95 hits per line