fix: implement RFC 8414 compliant OAuth metadata discovery

go.mod

@@ -6,6 +6,7 @@ toolchain go1.24.10
 
 require (
 	fyne.io/systray v1.11.0
+	github.com/BurntSushi/toml v1.6.0
 	github.com/Microsoft/go-winio v0.6.2
 	github.com/blevesearch/bleve/v2 v2.5.2
 	github.com/dop251/goja v0.0.0-20251103141225-af2ceb9156d7
@@ -14,7 +15,7 @@ require (
 	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/google/uuid v1.6.0
 	github.com/inconshreveable/go-update v0.0.0-20160112193335-8152e7eb6ccf
-	github.com/mark3labs/mcp-go v0.43.1
+	github.com/mark3labs/mcp-go v0.44.0-beta.2
 	github.com/oklog/ulid/v2 v2.1.1
 	github.com/pkoukk/tiktoken-go v0.1.8
 	github.com/prometheus/client_golang v1.23.2
@@ -40,7 +41,6 @@ require (
 require (
 	al.essio.dev/pkg/shellescape v1.5.1 // indirect
 	git.sr.ht/~jackmordaunt/go-toast v1.1.2 // indirect
-	github.com/BurntSushi/toml v1.6.0 // indirect
 	github.com/KyleBanks/depth v1.2.1 // indirect
 	github.com/RoaringBitmap/roaring/v2 v2.4.5 // indirect
 	github.com/bahlo/generic-list-go v0.2.0 // indirect

go.sum

@@ -156,8 +156,8 @@ github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN
 github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
-github.com/mark3labs/mcp-go v0.43.1 h1:WXNVd+bRM/7mOzCM9zulSwn/s9YEdAxbmeh9LoRHEXY=
-github.com/mark3labs/mcp-go v0.43.1/go.mod h1:YnJfOL382MIWDx1kMY+2zsRHU/q78dBg9aFb8W6Thdw=
+github.com/mark3labs/mcp-go v0.44.0-beta.2 h1:gfUT0m77E4odfgiHkqV/E+MQVaQ06rbutW7Ln0JRkBA=
+github.com/mark3labs/mcp-go v0.44.0-beta.2/go.mod h1:YnJfOL382MIWDx1kMY+2zsRHU/q78dBg9aFb8W6Thdw=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=

internal/oauth/config.go

@@ -617,25 +617,41 @@ func createOAuthConfigInternal(serverConfig *config.ServerConfig, storage *stora
 		zap.String("redirect_uri", callbackServer.RedirectURI),
 		zap.Int("port", callbackServer.Port))
 
-	// Try to construct explicit metadata URLs to avoid timeout issues during auto-discovery
-	// Extract base URL from server URL for .well-known endpoints
-	baseURL, err := parseBaseURL(serverConfig.URL)
-	if err != nil {
-		logger.Warn("Failed to parse base URL for OAuth metadata",
-			zap.String("server", serverConfig.Name),
-			zap.String("url", serverConfig.URL),
-			zap.Error(err))
-		baseURL = ""
-	}
-
+	// Try to find a working metadata URL by validating multiple URL patterns
+	// Different servers use different URL formats:
+	// - Smithery: Uses separate domains (server.smithery.ai/x for MCP, auth.smithery.ai/x for OAuth)
+	//   OAuth metadata at: https://auth.smithery.ai/.well-known/oauth-authorization-server/googledrive
+	// - Cloudflare: Same domain for MCP and OAuth
+	//   OAuth metadata at: https://logs.mcp.cloudflare.com/.well-known/oauth-authorization-server
 	var authServerMetadataURL string
-	if baseURL != "" {
-		authServerMetadataURL = baseURL + "/.well-known/oauth-authorization-server"
-		logger.Info("Using explicit OAuth metadata URL to avoid auto-discovery timeouts",
-			zap.String("server", serverConfig.Name),
-			zap.String("metadata_url", authServerMetadataURL))
+	if serverConfig.URL != "" {
+		// First, try to discover the auth server URL from Protected Resource Metadata
+		// This is necessary for servers like Smithery that use separate domains
+		authServerURL := DiscoverAuthServerURL(serverConfig.URL, 5*time.Second)
+		urlToUse := serverConfig.URL
+		if authServerURL != "" {
+			urlToUse = authServerURL
+			logger.Info("Using discovered auth server URL for metadata discovery",
+				zap.String("server", serverConfig.Name),
+				zap.String("mcp_url", serverConfig.URL),
+				zap.String("auth_server_url", authServerURL))
+		}
+
+		// Now find the working metadata URL using the auth server URL (or server URL as fallback)
+		workingURL, err := FindWorkingMetadataURL(urlToUse, 10*time.Second)
+		if err != nil {
+			logger.Warn("Could not find working OAuth metadata URL, will rely on auto-discovery",
+				zap.String("server", serverConfig.Name),
+				zap.String("url_tried", urlToUse),
+				zap.Error(err))
+		} else {
+			authServerMetadataURL = workingURL
+			logger.Info("Using validated OAuth metadata URL",
+				zap.String("server", serverConfig.Name),
+				zap.String("metadata_url", authServerMetadataURL))
+		}
 	} else {
-		logger.Info("Skipping OAuth metadata URL due to URL parsing issues",
+		logger.Info("Skipping OAuth metadata URL - no server URL configured",
 			zap.String("server", serverConfig.Name))
 	}