`authorization_servers` logic @ `.well-known/oauth-protected-resource` endpoint is not practical

[erwinkramer]

https://github.com/abdebek/MCPify/blob/3026494d38d6a680bde7b7088039d76eef3142e7/MCPify/Hosting/McpifyEndpointExtensions.cs#L141C1-L142C1 shouldn't just be the uri.GetLeftPart(UriPartial.Authority);.

It requests the OAuthAuthorizationCodeAuthentication.authorizationEndpoint in code configuration and then assumes if you strip it down, you get the authority, but that's not practical and doesn't work, please read https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#find-your-apps-openid-configuration-document-uri - so it would make more sense to just ask for the Authority URL directly.

In my case,
Valid authority: https://login.microsoftonline.com/b81eb003-1c5c-45fd-848f-90d9d3f8d016/v2.0/
Valid authorization endpoint: https://login.microsoftonline.com/b81eb003-1c5c-45fd-848f-90d9d3f8d016/oauth2/v2.0/authorize
Well known endpoint: https://login.microsoftonline.com/b81eb003-1c5c-45fd-848f-90d9d3f8d016/v2.0/.well-known/openid-configuration

See how, even if you strip the authorization endpoint down, you won't get the valid authority server url?

Another easier example is the GitHub MCP Server, see api.githubcopilot.com/.well-known/oauth-protected-resource/mcp, there it's https://github.com/login/oauth and not just https://github.com. Their well-known endpoint is https://github.com/login/oauth/.well-known/openid-configuration.