Fix /.well-known/oauth-authorization-server dropping path

src/client/auth.test.ts

@@ -207,6 +207,24 @@ describe("OAuth Authorization", () => {
       });
     });
 
+    it("returns metadata when discovery succeeds with path", async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        json: async () => validMetadata,
+      });
+
+      const metadata = await discoverOAuthMetadata("https://auth.example.com/path/name");
+      expect(metadata).toEqual(validMetadata);
+      const calls = mockFetch.mock.calls;
+      expect(calls.length).toBe(1);
+      const [url, options] = calls[0];
+      expect(url.toString()).toBe("https://auth.example.com/.well-known/oauth-authorization-server/path/name");
+      expect(options.headers).toEqual({
+        "MCP-Protocol-Version": LATEST_PROTOCOL_VERSION
+      });
+    });
+
     it("returns metadata when first fetch fails but second without MCP header succeeds", async () => {
       // Set up a counter to control behavior
       let callCount = 0;

src/client/auth.ts

@@ -297,7 +297,15 @@ export async function discoverOAuthMetadata(
   authorizationServerUrl: string | URL,
   opts?: { protocolVersion?: string },
 ): Promise<OAuthMetadata | undefined> {
-  const url = new URL("/.well-known/oauth-authorization-server", authorizationServerUrl);
+  const issuer = new URL(authorizationServerUrl);
+
+  let wellKnownPath = `/.well-known/oauth-authorization-server${issuer.pathname}`;
+  if (issuer.pathname.endsWith('/')) {
+    // Strip trailing slash from pathname
+    wellKnownPath = wellKnownPath.slice(0, -1);
+  }
+  const url = new URL(wellKnownPath, issuer);
+
   let response: Response;
   try {
     response = await fetch(url, {