Fall through to well-known discovery when resource metadata auth fails (#4371)

When a server returns resource_metadata in its WWW-Authenticate header,
Priority 3 (RFC 9728) would hard-return on any failure, preventing
Priorities 4 and 5 from running. For servers like Sourcegraph and
Deepsearch whose authorization_servers list contains path-based URLs
(e.g. /.api/mcp/deepsearch), RFC 8414 tenant extraction generates
/.well-known/oauth-authorization-server/.api/mcp/deepsearch — an
endpoint those servers don't serve. Validation fails, Priority 3
errors, and auth is broken despite Priorities 4/5 being able to
derive the correct root-domain issuer.

Fix by capturing the error from tryDiscoverFromResourceMetadata and
only returning on success; failures now log at DEBUG and fall through
to well-known probing (Priority 4) and URL-derived issuer (Priority 5),
restoring the behaviour that existed before 6cad0b5.

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: reyortiz3

pkg/auth/remote/handler.go

@@ -333,7 +333,11 @@ func (h *Handler) discoverIssuerAndScopes(
 
 	// Priority 3: Fetch from resource metadata (RFC 9728)
 	if authInfo.ResourceMetadata != "" {
-		return h.tryDiscoverFromResourceMetadata(ctx, authInfo.ResourceMetadata)
+		issuer, scopes, authServerInfo, err := h.tryDiscoverFromResourceMetadata(ctx, authInfo.ResourceMetadata)
+		if err == nil {
+			return issuer, scopes, authServerInfo, nil
+		}
+		slog.Debug("Resource metadata discovery failed, falling through to well-known discovery", "error", err)
 	}
 
 	// Priority 4: Try to discover actual issuer from the server's well-known endpoint

pkg/auth/remote/handler_test.go

@@ -169,15 +169,15 @@ func TestDiscoverIssuerAndScopes(t *testing.T) {
 			expectError:    false,
 		},
 		{
-			name:   "malformed resource metadata URL",
+			name:   "malformed resource metadata URL falls through to URL-derived issuer",
 			config: &Config{},
 			authInfo: &discovery.AuthInfo{
 				Type:             "OAuth",
 				ResourceMetadata: "not-a-url",
 			},
-			remoteURL:     "https://server.example.com",
-			expectError:   true,
-			errorContains: "could not determine OAuth issuer",
+			remoteURL:      "https://server.example.com",
+			expectError:    false,
+			expectedIssuer: "https://server.example.com",
 		},
 
 		// Edge cases
@@ -442,10 +442,11 @@ func TestDiscoverIssuerAndScopes_Security(t *testing.T) {
 		ctx, cancel := context.WithTimeout(t.Context(), 1*time.Second)
 		defer cancel()
 
-		_, _, _, err := handler.discoverIssuerAndScopes(ctx, authInfo, "https://server.example.com")
+		issuer, _, _, err := handler.discoverIssuerAndScopes(ctx, authInfo, "https://server.example.com")
 
-		// Should timeout or fail gracefully, not hang or crash
-		assert.Error(t, err)
+		// Should not hang or crash; Priority 3 fails gracefully and falls through to URL-derived issuer
+		require.NoError(t, err)
+		assert.Equal(t, "https://server.example.com", issuer)
 	})
 }