add none to test and the router.

[m-henderson]

Advertise none in token_endpoint_auth_methods_supported so that public OAuth clients can interoperate with the MCP Auth Router.

Motivation and Context

Dynamic client registration and token exchange flows for public clients require the AS metadata to list "none" as a supported token endpoint authentication method. Without this, public clients cannot complete an authorization code token flow.

This change updates the Authorization Server metadata to include "none" alongside "client_secret_post".

Fixes #1027

How Has This Been Tested?

• Updated tests in src/server/auth/router.test.ts to expect both "client_secret_post" and "none".
• All tests pass locally.
• Verified manually using:
  • curl:

    curl -s http://localhost:port/.well-known/oauth-authorization-server \
      | jq '.token_endpoint_auth_methods_supported'
    # -> ["client_secret_post", "none"]

Breaking Changes

Not that im aware of. Test are passing but I do not have enough knowledge yet to verify backwards compatibility.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

I checked to see if there was specific documentation that needed to be updated but I didn't see any. If I need to add it let me know.

@felixweinberger Thanks for adding the good first issue label.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/sdk@1116

commit: 54b74b0

[mattzcarey]

@pcarleton will need your stamp on this :)