refactor: use oauth2 package and remove unused functions

Author: radar07

auth/authorization_code.go

@@ -395,40 +395,6 @@ func (h *AuthorizationCodeHandler) getAuthServerMetadata(ctx context.Context, pr
 	return asm, nil
 }
 
-// authorizationServerMetadataURLs returns a list of URLs to try when looking for
-// authorization server metadata as mandated by the MCP specification:
-// https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#authorization-server-metadata-discovery.
-func authorizationServerMetadataURLs(issuerURL string) []string {
-	var urls []string
-
-	baseURL, err := url.Parse(issuerURL)
-	if err != nil {
-		return nil
-	}
-
-	if baseURL.Path == "" {
-		// "OAuth 2.0 Authorization Server Metadata".
-		baseURL.Path = "/.well-known/oauth-authorization-server"
-		urls = append(urls, baseURL.String())
-		// "OpenID Connect Discovery 1.0".
-		baseURL.Path = "/.well-known/openid-configuration"
-		urls = append(urls, baseURL.String())
-		return urls
-	}
-
-	originalPath := baseURL.Path
-	// "OAuth 2.0 Authorization Server Metadata with path insertion".
-	baseURL.Path = "/.well-known/oauth-authorization-server/" + strings.TrimLeft(originalPath, "/")
-	urls = append(urls, baseURL.String())
-	// "OpenID Connect Discovery 1.0 with path insertion".
-	baseURL.Path = "/.well-known/openid-configuration/" + strings.TrimLeft(originalPath, "/")
-	urls = append(urls, baseURL.String())
-	// "OpenID Connect Discovery 1.0 with path appending".
-	baseURL.Path = "/" + strings.Trim(originalPath, "/") + "/.well-known/openid-configuration"
-	urls = append(urls, baseURL.String())
-	return urls
-}
-
 type registrationType int
 
 const (

auth/enterprise_auth.go

@@ -133,7 +133,7 @@ func EnterpriseAuthFlow(
 	}
 
 	// Step 1: Discover IdP token endpoint via OIDC discovery
-	idpMeta, err := GetAuthServerMetadatForIssuer(ctx, config.IdPIssuerURL, httpClient)
+	idpMeta, err := GetAuthServerMetadataForIssuer(ctx, config.IdPIssuerURL, httpClient)
 	if err != nil {
 		return nil, fmt.Errorf("failed to discover IdP metadata: %w", err)
 	}
@@ -161,7 +161,7 @@ func EnterpriseAuthFlow(
 	}
 
 	// Step 3: JWT Bearer Grant (ID-JAG → Access Token)
-	mcpMeta, err := GetAuthServerMetadatForIssuer(ctx, config.MCPAuthServerURL, httpClient)
+	mcpMeta, err := GetAuthServerMetadataForIssuer(ctx, config.MCPAuthServerURL, httpClient)
 	if err != nil {
 		return nil, fmt.Errorf("failed to discover MCP auth server metadata: %w", err)
 	}
@@ -179,18 +179,3 @@ func EnterpriseAuthFlow(
 	}
 	return accessToken, nil
 }
-
-// GetAuthServerMetadatForIssuer fetches authorization server metadata for the given issuer URL.
-// It tries standard well-known endpoints (OAuth 2.0 and OIDC) and returns the first successful result.
-func GetAuthServerMetadatForIssuer(ctx context.Context, IssuerURL string, httpClient *httpClient) (*oauthex.AuthServerMeta, error) {
-	for _, metadataURL := range authorizationServerMetadataURLs(issuerURL) {
-		asm, err := oauthex.GetAuthServerMeta(ctx, metadataURL, issuerURL, httpClient)
-		if err != nil {
-			return nil, fmt.Errorf("failed to get authorization server metadata: %w", err)
-		}
-		if asm != nil {
-			return asm, nil
-		}
-	}
-	return nil, fmt.Errorf("no authorization server metadata found for %s", issuerURL)
-}

auth/extauth/enterprise_handler.go

@@ -32,40 +32,50 @@ type EnterpriseHandlerConfig struct {
 
 	// IdPIssuerURL is the enterprise IdP's issuer URL (e.g., "https://acme.okta.com").
 	// Used for OIDC discovery to find the token endpoint.
+	// REQUIRED.
 	IdPIssuerURL string
 
 	// IdPClientID is the MCP Client's ID registered at the IdP.
+	// OPTIONAL. Required if the IdP requires client authentication for token exchange.
 	IdPClientID string
 
 	// IdPClientSecret is the MCP Client's secret registered at the IdP.
+	// OPTIONAL. Required if the IdP requires client authentication for token exchange.
 	IdPClientSecret string
 
 	// MCP Server configuration (the resource being accessed)
 
 	// MCPAuthServerURL is the MCP Server's authorization server issuer URL.
 	// Used as the audience for token exchange and for metadata discovery.
+	// REQUIRED.
 	MCPAuthServerURL string
 
 	// MCPResourceURI is the MCP Server's resource identifier (RFC 9728).
 	// Used as the resource parameter in token exchange.
+	// REQUIRED.
 	MCPResourceURI string
 
 	// MCPClientID is the MCP Client's ID registered at the MCP Server.
+	// OPTIONAL. Required if the MCP Server requires client authentication.
 	MCPClientID string
 
 	// MCPClientSecret is the MCP Client's secret registered at the MCP Server.
+	// OPTIONAL. Required if the MCP Server requires client authentication.
 	MCPClientSecret string
 
 	// MCPScopes is the list of scopes to request at the MCP Server.
+	// OPTIONAL.
 	MCPScopes []string
 
 	// IDTokenFetcher is called to obtain an ID Token when authorization is needed.
 	// The implementation should handle the OIDC login flow (e.g., browser redirect,
 	// callback handling) and return the ID token.
+	// REQUIRED.
 	IDTokenFetcher IDTokenFetcher
 
 	// HTTPClient is an optional HTTP client for customization.
 	// If nil, http.DefaultClient is used.
+	// OPTIONAL.
 	HTTPClient *http.Client
 }
 
@@ -117,12 +127,8 @@ func (h *EnterpriseHandler) TokenSource(ctx context.Context) (oauth2.TokenSource
 // Authorize performs the Enterprise Managed Authorization flow.
 // It is called when a request fails with 401 or 403.
 func (h *EnterpriseHandler) Authorize(ctx context.Context, req *http.Request, resp *http.Response) error {
-	defer func() {
-		if resp != nil && resp.Body != nil {
-			io.Copy(io.Discard, resp.Body)
-			resp.Body.Close()
-		}
-	}()
+	defer resp.Body.Close()
+	defer io.Copy(io.Discard, resp.Body)
 
 	httpClient := h.config.HTTPClient
 	if httpClient == nil {