[auth]: revision of support oauth client_secret_basic / none / custom methods

[jaredhanson]

This is based on #720, but makes a couple changes to addClientAuthentication, as follows:

Function signature changed from:

addClientAuthentication?(url: URL, headers: Headers, params: URLSearchParams): void | Promise<void>;

to:

addClientAuthentication?(headers: Headers, params: URLSearchParams, url: string | URL, metadata?: OAuthMetadata): void | Promise<void>;

The most important change here has passing metadata, which allows the custom authentication method to fully negotiate based on authorization server capabilities. The url argument was moved to the third argument for aesthetic reasons, keeping it next to metadata.

The url argument was also changed to accept the authorizationServerUrl, rather than tokenUrl, so it could resolve any URLs present in metadata correctly.

Motivation and Context

This allows OAuthClientProviders to implement custom authentication methods, such as private_key_jwt.

How Has This Been Tested?

Unit tests. Custom OAuthClientProvider implementations implementing custom authentication methods.

Breaking Changes

N/A

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

[ochafik]

This is great, thanks a lot @jaredhanson!

[jaredhanson]

You're welcome!