getMetadataUrl builds a non-compliant OAuth metadata URL when issuer contains a path #207
Description
The current implementation of getMetadataUrl does not correctly handle issuer URLs that include path components. As a result, the function generates an incorrect OAuth Authorization Server Metadata URL in common real-world deployments (e.g. multi-tenant or realm-based servers).
Specifically, the function constructs the metadata URL using only the URL origin, discarding the issuer path entirely.
This behavior doesn't comply with the discovery approach described in RFC 8414 that is also specifically mentioned in the MCP specification ( https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#authorization-server-metadata-discovery ) in which it is stated:
For issuer URLs with path components (e.g., https://auth.example.com/tenant1), clients MUST try endpoints in the following priority order:
- OAuth 2.0 Authorization Server Metadata with path insertion: https://auth.example.com/.well-known/oauth-authorization-server/tenant1
- OpenID Connect Discovery 1.0 with path insertion: https://auth.example.com/.well-known/openid-configuration/tenant1
- OpenID Connect Discovery 1.0 path appending: https://auth.example.com/tenant1/.well-known/openid-configuration