Implement SEP-985: Authorization Discovery Fallback to WWW-Authenticate

[felixweinberger]

This is a tracking issue for implementation of SEP-985.

Summary

This SEP clarifies and extends the Protected Resource Metadata discovery mechanism for OAuth 2.0 authorization in MCP. The Rust SDK needs to implement client support for multiple discovery methods with proper fallback behavior, ensuring robust authorization server discovery even when well-known URIs are not available. Clients must first check for a resource_metadata parameter in the WWW-Authenticate header on 401 responses, and if not present, fall back to attempting well-known URIs at both sub-path and root locations.

Related Issues & PRs

• Implementation PRs: n/a
• Related PRs: n/a
• Related Issues: n/a

[alexhancock]

@tanish111 @jokemanfire @gpeal Looking through issues for compliance with the Nov revision of MCP. I think we may already be good on this one?

[tanish111]

@alexhancock i have raised pr yesterday for multiple discovery methods(oauth+oidc) yet to be merged. #598

I think Protected Resource Metadata discovery mechanism for OAuth 2.0 authorization in MCP is done #511

I think WWW-Authenticate header covered in #489