Using baseUrl as the authorization server URL breaks authentication with Asgardeo #8
Description
Currently the mcp-express package uses the baseUrl as the authorization server in the protected resource metadata response. However, it'd be incorrect to assume that baseUrl will always be the issuer URL. For example, in asgardeo, the baseUrl is https://api.asgardeo.io/t/<tenant-name> and the issuer URL is https://api.asgardeo.io/t/<tenant-name>/oauth2/token. Using the baseUrl for issuerUrl, therefore, breaks mcp authentication for Asgardeo as a identity provider.
Also, its incorrect to assume that issuer URL will always be baseUrl + "/oauth2/token"[1].
To handle these ambiguities, we need to take issuer as another parameter and use it in the authentication flows.