add test for OASM priority order

Author: pcarleton

src/scenarios/client/auth/basic-metadata-var1.ts

@@ -69,3 +69,92 @@ export class AuthBasicMetadataVar1Scenario implements Scenario {
     return this.checks;
   }
 }
+
+export class AuthBasicMetadataVar2Scenario implements Scenario {
+  // TODO: name should match what we put in the scenario map
+  name = 'auth/basic-metadata-var2';
+  description =
+    'Tests Basic OAuth flow with DCR, PRM at root location, OAuth metadata at path-based OAuth discovery path';
+  private authServer = new ServerLifecycle();
+  private server = new ServerLifecycle();
+  private checks: ConformanceCheck[] = [];
+
+  async start(): Promise<ScenarioUrls> {
+    this.checks = [];
+
+    const authApp = createAuthServer(this.checks, this.authServer.getUrl, {
+      metadataPath: '/tenant1/.well-known/openid-configuration',
+      isOpenIdConfiguration: true,
+      routePrefix: '/tenant1'
+    });
+
+    authApp.get('/.well-known/oauth-authorization-server', (req, res) => {
+      this.checks.push({
+        id: 'authorization-server-metadata-wrong-path',
+        name: 'AuthorizationServerMetadataWrongPath',
+        description:
+          'Client requested authorization server at the root path when the AS URL has a path-based location',
+        status: 'FAILURE',
+        timestamp: new Date().toISOString(),
+        specReferences: [
+          {
+            id: 'RFC-8414',
+            url: 'https://tools.ietf.org/html/rfc8414'
+          }
+        ],
+        details: {
+          url: req.url
+        }
+      });
+      res.status(404).send('Not Found');
+    });
+
+    await this.authServer.start(authApp);
+
+    const app = createServer(
+      this.checks,
+      this.server.getUrl,
+      () => `${this.authServer.getUrl()}/tenant1`,
+      {
+        // TODO: this will put this path in the WWW-Authenticate header
+        // but RFC 9728 states that in that case, the resource in the PRM
+        // must match the URL used to make the request to the resource server.
+        // We'll need to establish an opinion on whether that means the
+        // URL for the metadata fetch, or the URL for the MCP endpoint,
+        // or more generally what are the valid scenarios / combos.
+        prmPath: '/.well-known/oauth-protected-resource'
+      }
+    );
+    await this.server.start(app);
+
+    return { serverUrl: `${this.server.getUrl()}/mcp` };
+  }
+
+  async stop() {
+    await this.authServer.stop();
+    await this.server.stop();
+  }
+
+  getChecks(): ConformanceCheck[] {
+    const expectedSlugs = [
+      'authorization-server-metadata',
+      'client-registration',
+      'authorization-request',
+      'token-request'
+    ];
+
+    for (const slug of expectedSlugs) {
+      if (!this.checks.find((c) => c.id === slug)) {
+        this.checks.push({
+          id: slug,
+          name: `Expected Check Missing: ${slug}`,
+          description: `Expected Check Missing: ${slug}`,
+          status: 'FAILURE',
+          timestamp: new Date().toISOString()
+        });
+      }
+    }
+
+    return this.checks;
+  }
+}

src/scenarios/index.ts

@@ -2,7 +2,10 @@ import { Scenario, ClientScenario } from '../types.js';
 import { InitializeScenario } from './client/initialize.js';
 import { ToolsCallScenario } from './client/tools_call.js';
 import { AuthBasicDCRScenario } from './client/auth/basic-dcr.js';
-import { AuthBasicMetadataVar1Scenario } from './client/auth/basic-metadata-var1.js';
+import {
+  AuthBasicMetadataVar1Scenario,
+  AuthBasicMetadataVar2Scenario
+} from './client/auth/basic-metadata-var1.js';
 import {
   Auth20250326OAuthMetadataBackcompatScenario,
   Auth20250326OEndpointFallbackScenario
@@ -121,6 +124,7 @@ const scenariosList: Scenario[] = [
   new ToolsCallScenario(),
   new AuthBasicDCRScenario(),
   new AuthBasicMetadataVar1Scenario(),
+  new AuthBasicMetadataVar2Scenario(),
   new Auth20250326OAuthMetadataBackcompatScenario(),
   new Auth20250326OEndpointFallbackScenario(),
   new ElicitationClientDefaultsScenario()