Pin RFC 8414 Default Well-Known Suffix per SEP-2351

[koic]

Motivation and Context

SEP-2351 (modelcontextprotocol/modelcontextprotocol#2351, merged for the 2026-07-28 spec release) makes explicit that MCP uses the default oauth-authorization-server well-known URI suffix from RFC 8414 Section 3.1 and defines no application-specific suffix.

MCP::Client::OAuth::Discovery.authorization_server_metadata_urls already conforms: it probes the RFC 8414 default suffix first (path-inserted form for path issuers) and otherwise uses only the OpenID Connect Discovery openid-configuration suffix. Neither the Python SDK nor the TypeScript SDK needed a behavior change for this SEP either; their tracking issues (python-sdk#2799, typescript-sdk#2256) remain documentation-level.

This change documents the SEP-2351 guarantee in the discovery helper and locks the behavior in with regression tests so a future refactor cannot silently introduce a non-default suffix.

Resolves #384.

How Has This Been Tested?

New regression tests in test/mcp/client/oauth/discovery_test.rb:

• the first probed candidate for a root issuer is exactly /.well-known/oauth-authorization-server
• every generated candidate uses only the oauth-authorization-server or openid-configuration suffix
• the RFC 8414 path-inserted oauth-authorization-server candidate comes first for issuers with a path component
• an issuer URL with a trailing slash is treated as a root issuer

Breaking Changes

None. Documentation and regression tests only; no behavior change.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed