Add OAuth protected resource metadata endpoint for separate mode

Fixes MCP Inspector connection by providing OAuth discovery endpoint
that points to the external auth server at http://localhost:3001

Author: bhosmer-ant

src/index.ts

@@ -1,5 +1,5 @@
 import { BearerAuthMiddlewareOptions, requireBearerAuth } from "@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js";
-import { AuthRouterOptions, getOAuthProtectedResourceMetadataUrl, mcpAuthRouter, mcpAuthMetadataRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
+import { AuthRouterOptions, getOAuthProtectedResourceMetadataUrl, mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
 import cors from "cors";
 import rateLimit from "express-rate-limit";
 import express from "express";
@@ -227,18 +227,28 @@ if (AUTH_MODE === 'integrated') {
     }
   }
 
-  // In separate mode, we don't serve OAuth metadata endpoints
-  // The auth server handles all OAuth metadata
-  // We only need to configure the bearer auth middleware
-  
+  // In separate mode, we serve minimal OAuth metadata that points to the auth server
+  // This allows OAuth clients to discover the authorization endpoints
+
+  // Serve OAuth protected resource metadata endpoint
+  app.get('/.well-known/oauth-protected-resource', (req, res) => {
+    res.json({
+      resource: BASE_URI,
+      authorization_server: AUTH_SERVER_URL,
+      bearer_methods_supported: ['header'],
+      resource_documentation: `${BASE_URI}/docs`,
+      resource_signing_alg_values_supported: ['HS256']
+    });
+  });
+
   // Configure bearer auth with external verifier
   const externalVerifier = new ExternalAuthVerifier(AUTH_SERVER_URL);
-  
+
   const bearerAuthOptions: BearerAuthMiddlewareOptions = {
     verifier: externalVerifier,
     resourceMetadataUrl: getOAuthProtectedResourceMetadataUrl(new URL(BASE_URI)),
   };
-  
+
   bearerAuth = requireBearerAuth(bearerAuthOptions);
 }