[FEATURE] Support for Protected Resource Metadata Discovery Requirements

[embesozzi]

Feature

Support for Protected Resource Metadata Discovery Requirements [1]. If the tool returns an HTTP 401 Unauthorized response, for example:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer resource_metadata="https://mcp.example.com/.well-known/oauth-protected-resource",
               scope="files:read"

The MCP client should follow the Authorization Server Metadata Discovery process [2] to retrieve the resource_metadata, and then redirect to the Identity Provider to initiate the step-up process.

Currently, a 401 error is shown in the MCP JAM console.

[1] https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#protected-resource-metadata-discovery-requirements
[2] https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#authorization-server-metadata-discovery

[matteo8p]

@embesozzi Thank you so much for requesting this! To clarify, is your proposal to implement CIMD for connecting to MCP servers?

FYI, we currently support CIMD in the OAuth debugger, not in server connections though!

[embesozzi]

Hi Matteo, no, just simple Dynamic Client Registration (DCR). Once MCP Jam sees the HTTP/1.1 401 Unauthorized with resource_metadata, it should:
a) read the resource_metadata URI
b) perform discovery of the Identity Provider endpoints
c) implement (in this case) DCR
d) trigger the OAuth flow login

[matteo8p]

@embesozzi We do have full support for DCR and reading PRM data. I am able to connect to MCP servers with OAuth fine on my end.

What is the issue that you're seeing? Can you provide some screenshots / video recording?