@office-ai/aioncli-core 0.2.3 → 0.18.4

package/dist/src/mcp/oauth-provider.test.js

@@ -10,12 +10,33 @@ vi.mock('../utils/secure-browser-launcher.js', () => ({
     openBrowserSecurely: mockOpenBrowserSecurely,
 }));
 vi.mock('node:crypto');
-vi.mock('./oauth-token-storage.js');
+vi.mock('./oauth-token-storage.js', () => {
+    const mockSaveToken = vi.fn();
+    const mockGetCredentials = vi.fn();
+    const mockIsTokenExpired = vi.fn();
+    const mockdeleteCredentials = vi.fn();
+    return {
+        MCPOAuthTokenStorage: vi.fn(() => ({
+            saveToken: mockSaveToken,
+            getCredentials: mockGetCredentials,
+            isTokenExpired: mockIsTokenExpired,
+            deleteCredentials: mockdeleteCredentials,
+        })),
+    };
+});
+vi.mock('../utils/events.js', () => ({
+    coreEvents: {
+        emitFeedback: vi.fn(),
+        emitConsoleLog: vi.fn(),
+    },
+}));
 import { describe, it, expect, beforeEach, afterEach } from 'vitest';
 import * as http from 'node:http';
 import * as crypto from 'node:crypto';
-import { MCPOAuthProvider, } from './oauth-provider.js';
+import { MCPOAuthProvider } from './oauth-provider.js';
 import { MCPOAuthTokenStorage } from './oauth-token-storage.js';
+import { OAuthUtils, } from './oauth-utils.js';
+import { coreEvents } from '../utils/events.js';
 // Mock fetch globally
 const mockFetch = vi.fn();
 global.fetch = mockFetch;
@@ -49,11 +70,12 @@ const createMockResponse = (options) => {
     }
     return response;
 };
-// Define a reusable mock server with .listen, .close, and .on methods
+// Define a reusable mock server with .listen, .close, .on, and .address methods
 const mockHttpServer = {
     listen: vi.fn(),
     close: vi.fn(),
     on: vi.fn(),
+    address: vi.fn(() => ({ address: 'localhost', family: 'IPv4', port: 7777 })),
 };
 vi.mock('node:http', () => ({
     createServer: vi.fn(() => mockHttpServer),
@@ -112,8 +134,9 @@ describe('MCPOAuthProvider', () => {
             return Buffer.alloc(size);
         });
         // Mock token storage
-        vi.mocked(MCPOAuthTokenStorage.saveToken).mockResolvedValue(undefined);
-        vi.mocked(MCPOAuthTokenStorage.getToken).mockResolvedValue(null);
+        const tokenStorage = new MCPOAuthTokenStorage();
+        vi.mocked(tokenStorage.saveToken).mockResolvedValue(undefined);
+        vi.mocked(tokenStorage.getCredentials).mockResolvedValue(null);
     });
     afterEach(() => {
         vi.restoreAllMocks();
@@ -147,7 +170,8 @@ describe('MCPOAuthProvider', () => {
                 text: JSON.stringify(mockTokenResponse),
                 json: mockTokenResponse,
             }));
-            const result = await MCPOAuthProvider.authenticate('test-server', mockConfig);
+            const authProvider = new MCPOAuthProvider();
+            const result = await authProvider.authenticate('test-server', mockConfig);
             expect(result).toEqual({
                 accessToken: 'access_token_123',
                 refreshToken: 'refresh_token_456',
@@ -156,7 +180,8 @@ describe('MCPOAuthProvider', () => {
                 expiresAt: expect.any(Number),
             });
             expect(mockOpenBrowserSecurely).toHaveBeenCalledWith(expect.stringContaining('authorize'));
-            expect(MCPOAuthTokenStorage.saveToken).toHaveBeenCalledWith('test-server', expect.objectContaining({ accessToken: 'access_token_123' }), 'test-client-id', 'https://auth.example.com/token', undefined);
+            const tokenStorage = new MCPOAuthTokenStorage();
+            expect(tokenStorage.saveToken).toHaveBeenCalledWith('test-server', expect.objectContaining({ accessToken: 'access_token_123' }), 'test-client-id', 'https://auth.example.com/token', undefined);
         });
         it('should handle OAuth discovery when no authorization URL provided', async () => {
             // Use a mutable config object
@@ -219,7 +244,8 @@ describe('MCPOAuthProvider', () => {
                 text: JSON.stringify(mockTokenResponse),
                 json: mockTokenResponse,
             }));
-            const result = await MCPOAuthProvider.authenticate('test-server', configWithoutAuth, 'https://api.example.com');
+            const authProvider = new MCPOAuthProvider();
+            const result = await authProvider.authenticate('test-server', configWithoutAuth, 'https://api.example.com');
             expect(result).toBeDefined();
             expect(mockFetch).toHaveBeenCalledWith('https://discovered.auth.com/token', expect.objectContaining({
                 method: 'POST',
@@ -228,7 +254,61 @@ describe('MCPOAuthProvider', () => {
                 }),
             }));
         });
-        it('should perform dynamic client registration when no client ID provided', async () => {
+        it('should perform dynamic client registration when no client ID is provided but registration URL is provided', async () => {
+            const configWithoutClient = {
+                ...mockConfig,
+                registrationUrl: 'https://auth.example.com/register',
+            };
+            delete configWithoutClient.clientId;
+            const mockRegistrationResponse = {
+                client_id: 'dynamic_client_id',
+                client_secret: 'dynamic_client_secret',
+                redirect_uris: ['http://localhost:7777/oauth/callback'],
+                grant_types: ['authorization_code', 'refresh_token'],
+                response_types: ['code'],
+                token_endpoint_auth_method: 'none',
+            };
+            mockFetch.mockResolvedValueOnce(createMockResponse({
+                ok: true,
+                contentType: 'application/json',
+                text: JSON.stringify(mockRegistrationResponse),
+                json: mockRegistrationResponse,
+            }));
+            // Setup callback handler
+            let callbackHandler;
+            vi.mocked(http.createServer).mockImplementation((handler) => {
+                callbackHandler = handler;
+                return mockHttpServer;
+            });
+            mockHttpServer.listen.mockImplementation((port, callback) => {
+                callback?.();
+                setTimeout(() => {
+                    const mockReq = {
+                        url: '/oauth/callback?code=auth_code_123&state=bW9ja19zdGF0ZV8xNl9ieXRlcw',
+                    };
+                    const mockRes = {
+                        writeHead: vi.fn(),
+                        end: vi.fn(),
+                    };
+                    callbackHandler(mockReq, mockRes);
+                }, 10);
+            });
+            // Mock token exchange
+            mockFetch.mockResolvedValueOnce(createMockResponse({
+                ok: true,
+                contentType: 'application/json',
+                text: JSON.stringify(mockTokenResponse),
+                json: mockTokenResponse,
+            }));
+            const authProvider = new MCPOAuthProvider();
+            const result = await authProvider.authenticate('test-server', configWithoutClient);
+            expect(result).toBeDefined();
+            expect(mockFetch).toHaveBeenCalledWith('https://auth.example.com/register', expect.objectContaining({
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+            }));
+        });
+        it('should perform OAuth discovery and dynamic client registration when no client ID or registration URL provided', async () => {
             const configWithoutClient = { ...mockConfig };
             delete configWithoutClient.clientId;
             const mockRegistrationResponse = {
@@ -240,6 +320,7 @@ describe('MCPOAuthProvider', () => {
                 token_endpoint_auth_method: 'none',
             };
             const mockAuthServerMetadata = {
+                issuer: 'https://auth.example.com',
                 authorization_endpoint: 'https://auth.example.com/authorize',
                 token_endpoint: 'https://auth.example.com/token',
                 registration_endpoint: 'https://auth.example.com/register',
@@ -283,7 +364,89 @@ describe('MCPOAuthProvider', () => {
                 text: JSON.stringify(mockTokenResponse),
                 json: mockTokenResponse,
             }));
-            const result = await MCPOAuthProvider.authenticate('test-server', configWithoutClient);
+            const authProvider = new MCPOAuthProvider();
+            const result = await authProvider.authenticate('test-server', configWithoutClient);
+            expect(result).toBeDefined();
+            expect(mockFetch).toHaveBeenCalledWith('https://auth.example.com/register', expect.objectContaining({
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+            }));
+        });
+        it('should perform OAuth discovery once and dynamic client registration when no client ID, authorization URL or registration URL provided', async () => {
+            const configWithoutClientAndAuthorizationUrl = {
+                ...mockConfig,
+            };
+            delete configWithoutClientAndAuthorizationUrl.clientId;
+            delete configWithoutClientAndAuthorizationUrl.authorizationUrl;
+            const mockResourceMetadata = {
+                resource: 'https://api.example.com',
+                authorization_servers: ['https://auth.example.com'],
+            };
+            const mockAuthServerMetadata = {
+                issuer: 'https://auth.example.com',
+                authorization_endpoint: 'https://auth.example.com/authorize',
+                token_endpoint: 'https://auth.example.com/token',
+                registration_endpoint: 'https://auth.example.com/register',
+            };
+            const mockRegistrationResponse = {
+                client_id: 'dynamic_client_id',
+                client_secret: 'dynamic_client_secret',
+                redirect_uris: ['http://localhost:7777/oauth/callback'],
+                grant_types: ['authorization_code', 'refresh_token'],
+                response_types: ['code'],
+                token_endpoint_auth_method: 'none',
+            };
+            mockFetch
+                .mockResolvedValueOnce(createMockResponse({
+                ok: true,
+                status: 200,
+            }))
+                .mockResolvedValueOnce(createMockResponse({
+                ok: true,
+                contentType: 'application/json',
+                text: JSON.stringify(mockResourceMetadata),
+                json: mockResourceMetadata,
+            }))
+                .mockResolvedValueOnce(createMockResponse({
+                ok: true,
+                contentType: 'application/json',
+                text: JSON.stringify(mockAuthServerMetadata),
+                json: mockAuthServerMetadata,
+            }))
+                .mockResolvedValueOnce(createMockResponse({
+                ok: true,
+                contentType: 'application/json',
+                text: JSON.stringify(mockRegistrationResponse),
+                json: mockRegistrationResponse,
+            }));
+            // Setup callback handler
+            let callbackHandler;
+            vi.mocked(http.createServer).mockImplementation((handler) => {
+                callbackHandler = handler;
+                return mockHttpServer;
+            });
+            mockHttpServer.listen.mockImplementation((port, callback) => {
+                callback?.();
+                setTimeout(() => {
+                    const mockReq = {
+                        url: '/oauth/callback?code=auth_code_123&state=bW9ja19zdGF0ZV8xNl9ieXRlcw',
+                    };
+                    const mockRes = {
+                        writeHead: vi.fn(),
+                        end: vi.fn(),
+                    };
+                    callbackHandler(mockReq, mockRes);
+                }, 10);
+            });
+            // Mock token exchange
+            mockFetch.mockResolvedValueOnce(createMockResponse({
+                ok: true,
+                contentType: 'application/json',
+                text: JSON.stringify(mockTokenResponse),
+                json: mockTokenResponse,
+            }));
+            const authProvider = new MCPOAuthProvider();
+            const result = await authProvider.authenticate('test-server', configWithoutClientAndAuthorizationUrl, 'https://api.example.com');
             expect(result).toBeDefined();
             expect(mockFetch).toHaveBeenCalledWith('https://auth.example.com/register', expect.objectContaining({
                 method: 'POST',
@@ -309,7 +472,8 @@ describe('MCPOAuthProvider', () => {
                     callbackHandler(mockReq, mockRes);
                 }, 10);
             });
-            await expect(MCPOAuthProvider.authenticate('test-server', mockConfig)).rejects.toThrow('OAuth error: access_denied');
+            const authProvider = new MCPOAuthProvider();
+            await expect(authProvider.authenticate('test-server', mockConfig)).rejects.toThrow('OAuth error: access_denied');
         });
         it('should handle state mismatch in callback', async () => {
             let callbackHandler;
@@ -330,7 +494,8 @@ describe('MCPOAuthProvider', () => {
                     callbackHandler(mockReq, mockRes);
                 }, 10);
             });
-            await expect(MCPOAuthProvider.authenticate('test-server', mockConfig)).rejects.toThrow('State mismatch - possible CSRF attack');
+            const authProvider = new MCPOAuthProvider();
+            await expect(authProvider.authenticate('test-server', mockConfig)).rejects.toThrow('State mismatch - possible CSRF attack');
         });
         it('should handle token exchange failure', async () => {
             let callbackHandler;
@@ -357,7 +522,185 @@ describe('MCPOAuthProvider', () => {
                 contentType: 'application/x-www-form-urlencoded',
                 text: 'error=invalid_grant&error_description=Invalid grant',
             }));
-            await expect(MCPOAuthProvider.authenticate('test-server', mockConfig)).rejects.toThrow('Token exchange failed: invalid_grant - Invalid grant');
+            const authProvider = new MCPOAuthProvider();
+            await expect(authProvider.authenticate('test-server', mockConfig)).rejects.toThrow('Token exchange failed: invalid_grant - Invalid grant');
+        });
+        it('should handle OAuth discovery failure', async () => {
+            const configWithoutAuth = { ...mockConfig };
+            delete configWithoutAuth.authorizationUrl;
+            delete configWithoutAuth.tokenUrl;
+            mockFetch.mockResolvedValueOnce(createMockResponse({
+                ok: false,
+                status: 404,
+            }));
+            const authProvider = new MCPOAuthProvider();
+            await expect(authProvider.authenticate('test-server', configWithoutAuth, 'https://api.example.com')).rejects.toThrow('Failed to discover OAuth configuration from MCP server');
+        });
+        it('should handle authorization server metadata discovery failure', async () => {
+            const configWithoutClient = { ...mockConfig };
+            delete configWithoutClient.clientId;
+            mockFetch.mockResolvedValue(createMockResponse({
+                ok: false,
+                status: 404,
+            }));
+            // Prevent callback server from hanging the test
+            mockHttpServer.listen.mockImplementation((port, callback) => {
+                callback?.();
+            });
+            const authProvider = new MCPOAuthProvider();
+            await expect(authProvider.authenticate('test-server', configWithoutClient)).rejects.toThrow('Failed to fetch authorization server metadata for client registration');
+        });
+        it('should handle invalid callback request', async () => {
+            let callbackHandler;
+            vi.mocked(http.createServer).mockImplementation((handler) => {
+                callbackHandler = handler;
+                return mockHttpServer;
+            });
+            mockHttpServer.listen.mockImplementation((port, callback) => {
+                callback?.();
+                setTimeout(() => {
+                    const mockReq = {
+                        url: '/invalid-path',
+                    };
+                    const mockRes = {
+                        writeHead: vi.fn(),
+                        end: vi.fn(),
+                    };
+                    callbackHandler(mockReq, mockRes);
+                }, 0);
+            });
+            const authProvider = new MCPOAuthProvider();
+            // The test will timeout if the server does not handle the invalid request correctly.
+            // We are testing that the server does not hang.
+            await Promise.race([
+                authProvider.authenticate('test-server', mockConfig),
+                new Promise((resolve) => setTimeout(resolve, 1000)),
+            ]);
+        });
+        it('should handle token exchange failure with non-json response', async () => {
+            let callbackHandler;
+            vi.mocked(http.createServer).mockImplementation((handler) => {
+                callbackHandler = handler;
+                return mockHttpServer;
+            });
+            mockHttpServer.listen.mockImplementation((port, callback) => {
+                callback?.();
+                setTimeout(() => {
+                    const mockReq = {
+                        url: '/oauth/callback?code=auth_code_123&state=bW9ja19zdGF0ZV8xNl9ieXRlcw',
+                    };
+                    const mockRes = {
+                        writeHead: vi.fn(),
+                        end: vi.fn(),
+                    };
+                    callbackHandler(mockReq, mockRes);
+                }, 10);
+            });
+            mockFetch.mockResolvedValueOnce(createMockResponse({
+                ok: false,
+                status: 500,
+                contentType: 'text/html',
+                text: 'Internal Server Error',
+            }));
+            const authProvider = new MCPOAuthProvider();
+            await expect(authProvider.authenticate('test-server', mockConfig)).rejects.toThrow('Token exchange failed: 500 - Internal Server Error');
+        });
+        it('should handle token exchange with unexpected content type', async () => {
+            let callbackHandler;
+            vi.mocked(http.createServer).mockImplementation((handler) => {
+                callbackHandler = handler;
+                return mockHttpServer;
+            });
+            mockHttpServer.listen.mockImplementation((port, callback) => {
+                callback?.();
+                setTimeout(() => {
+                    const mockReq = {
+                        url: '/oauth/callback?code=auth_code_123&state=bW9ja19zdGF0ZV8xNl9ieXRlcw',
+                    };
+                    const mockRes = {
+                        writeHead: vi.fn(),
+                        end: vi.fn(),
+                    };
+                    callbackHandler(mockReq, mockRes);
+                }, 10);
+            });
+            mockFetch.mockResolvedValueOnce(createMockResponse({
+                ok: true,
+                contentType: 'text/plain',
+                text: 'access_token=plain_text_token',
+            }));
+            const authProvider = new MCPOAuthProvider();
+            const result = await authProvider.authenticate('test-server', mockConfig);
+            expect(result.accessToken).toBe('plain_text_token');
+        });
+        it('should handle refresh token failure with non-json response', async () => {
+            mockFetch.mockResolvedValueOnce(createMockResponse({
+                ok: false,
+                status: 500,
+                contentType: 'text/html',
+                text: 'Internal Server Error',
+            }));
+            const authProvider = new MCPOAuthProvider();
+            await expect(authProvider.refreshAccessToken(mockConfig, 'invalid_refresh_token', 'https://auth.example.com/token')).rejects.toThrow('Token refresh failed: 500 - Internal Server Error');
+        });
+        it('should handle refresh token with unexpected content type', async () => {
+            mockFetch.mockResolvedValueOnce(createMockResponse({
+                ok: true,
+                contentType: 'text/plain',
+                text: 'access_token=plain_text_token',
+            }));
+            const authProvider = new MCPOAuthProvider();
+            const result = await authProvider.refreshAccessToken(mockConfig, 'refresh_token', 'https://auth.example.com/token');
+            expect(result.access_token).toBe('plain_text_token');
+        });
+        it('should continue authentication when browser fails to open', async () => {
+            mockOpenBrowserSecurely.mockRejectedValue(new Error('Browser not found'));
+            let callbackHandler;
+            vi.mocked(http.createServer).mockImplementation((handler) => {
+                callbackHandler = handler;
+                return mockHttpServer;
+            });
+            mockHttpServer.listen.mockImplementation((port, callback) => {
+                callback?.();
+                setTimeout(() => {
+                    const mockReq = {
+                        url: '/oauth/callback?code=auth_code_123&state=bW9ja19zdGF0ZV8xNl9ieXRlcw',
+                    };
+                    const mockRes = {
+                        writeHead: vi.fn(),
+                        end: vi.fn(),
+                    };
+                    callbackHandler(mockReq, mockRes);
+                }, 10);
+            });
+            mockFetch.mockResolvedValueOnce(createMockResponse({
+                ok: true,
+                contentType: 'application/json',
+                text: JSON.stringify(mockTokenResponse),
+                json: mockTokenResponse,
+            }));
+            const authProvider = new MCPOAuthProvider();
+            const result = await authProvider.authenticate('test-server', mockConfig);
+            expect(result).toBeDefined();
+        });
+        it('should return null when token is expired and no refresh token is available', async () => {
+            const expiredCredentials = {
+                serverName: 'test-server',
+                token: {
+                    ...mockToken,
+                    refreshToken: undefined,
+                    expiresAt: Date.now() - 3600000,
+                },
+                clientId: 'test-client-id',
+                tokenUrl: 'https://auth.example.com/token',
+                updatedAt: Date.now(),
+            };
+            const tokenStorage = new MCPOAuthTokenStorage();
+            vi.mocked(tokenStorage.getCredentials).mockResolvedValue(expiredCredentials);
+            vi.mocked(tokenStorage.isTokenExpired).mockReturnValue(true);
+            const authProvider = new MCPOAuthProvider();
+            const result = await authProvider.getValidToken('test-server', mockConfig);
+            expect(result).toBeNull();
         });
         it('should handle callback timeout', async () => {
             vi.mocked(http.createServer).mockImplementation(() => mockHttpServer);
@@ -374,7 +717,8 @@ describe('MCPOAuthProvider', () => {
                 }
                 return originalSetTimeout(callback, 0);
             });
-            await expect(MCPOAuthProvider.authenticate('test-server', mockConfig)).rejects.toThrow('OAuth callback timeout');
+            const authProvider = new MCPOAuthProvider();
+            await expect(authProvider.authenticate('test-server', mockConfig)).rejects.toThrow('OAuth callback timeout');
             global.setTimeout = originalSetTimeout;
         });
     });
@@ -392,7 +736,8 @@ describe('MCPOAuthProvider', () => {
                 text: JSON.stringify(refreshResponse),
                 json: refreshResponse,
             }));
-            const result = await MCPOAuthProvider.refreshAccessToken(mockConfig, 'old_refresh_token', 'https://auth.example.com/token');
+            const authProvider = new MCPOAuthProvider();
+            const result = await authProvider.refreshAccessToken(mockConfig, 'old_refresh_token', 'https://auth.example.com/token');
             expect(result).toEqual(refreshResponse);
             expect(mockFetch).toHaveBeenCalledWith('https://auth.example.com/token', expect.objectContaining({
                 method: 'POST',
@@ -410,7 +755,8 @@ describe('MCPOAuthProvider', () => {
                 text: JSON.stringify(mockTokenResponse),
                 json: mockTokenResponse,
             }));
-            await MCPOAuthProvider.refreshAccessToken(mockConfig, 'refresh_token', 'https://auth.example.com/token');
+            const authProvider = new MCPOAuthProvider();
+            await authProvider.refreshAccessToken(mockConfig, 'refresh_token', 'https://auth.example.com/token');
             const fetchCall = mockFetch.mock.calls[0];
             expect(fetchCall[1].body).toContain('client_secret=test-client-secret');
         });
@@ -421,7 +767,8 @@ describe('MCPOAuthProvider', () => {
                 contentType: 'application/x-www-form-urlencoded',
                 text: 'error=invalid_request&error_description=Invalid refresh token',
             }));
-            await expect(MCPOAuthProvider.refreshAccessToken(mockConfig, 'invalid_refresh_token', 'https://auth.example.com/token')).rejects.toThrow('Token refresh failed: invalid_request - Invalid refresh token');
+            const authProvider = new MCPOAuthProvider();
+            await expect(authProvider.refreshAccessToken(mockConfig, 'invalid_refresh_token', 'https://auth.example.com/token')).rejects.toThrow('Token refresh failed: invalid_request - Invalid refresh token');
         });
     });
     describe('getValidToken', () => {
@@ -433,9 +780,11 @@ describe('MCPOAuthProvider', () => {
                 tokenUrl: 'https://auth.example.com/token',
                 updatedAt: Date.now(),
             };
-            vi.mocked(MCPOAuthTokenStorage.getToken).mockResolvedValue(validCredentials);
-            vi.mocked(MCPOAuthTokenStorage.isTokenExpired).mockReturnValue(false);
-            const result = await MCPOAuthProvider.getValidToken('test-server', mockConfig);
+            const tokenStorage = new MCPOAuthTokenStorage();
+            vi.mocked(tokenStorage.getCredentials).mockResolvedValue(validCredentials);
+            vi.mocked(tokenStorage.isTokenExpired).mockReturnValue(false);
+            const authProvider = new MCPOAuthProvider();
+            const result = await authProvider.getValidToken('test-server', mockConfig);
             expect(result).toBe('access_token_123');
         });
         it('should refresh expired token and return new token', async () => {
@@ -446,8 +795,9 @@ describe('MCPOAuthProvider', () => {
                 tokenUrl: 'https://auth.example.com/token',
                 updatedAt: Date.now(),
             };
-            vi.mocked(MCPOAuthTokenStorage.getToken).mockResolvedValue(expiredCredentials);
-            vi.mocked(MCPOAuthTokenStorage.isTokenExpired).mockReturnValue(true);
+            const tokenStorage = new MCPOAuthTokenStorage();
+            vi.mocked(tokenStorage.getCredentials).mockResolvedValue(expiredCredentials);
+            vi.mocked(tokenStorage.isTokenExpired).mockReturnValue(true);
             const refreshResponse = {
                 access_token: 'new_access_token',
                 token_type: 'Bearer',
@@ -460,13 +810,16 @@ describe('MCPOAuthProvider', () => {
                 text: JSON.stringify(refreshResponse),
                 json: refreshResponse,
             }));
-            const result = await MCPOAuthProvider.getValidToken('test-server', mockConfig);
+            const authProvider = new MCPOAuthProvider();
+            const result = await authProvider.getValidToken('test-server', mockConfig);
             expect(result).toBe('new_access_token');
-            expect(MCPOAuthTokenStorage.saveToken).toHaveBeenCalledWith('test-server', expect.objectContaining({ accessToken: 'new_access_token' }), 'test-client-id', 'https://auth.example.com/token', undefined);
+            expect(tokenStorage.saveToken).toHaveBeenCalledWith('test-server', expect.objectContaining({ accessToken: 'new_access_token' }), 'test-client-id', 'https://auth.example.com/token', undefined);
         });
         it('should return null when no credentials exist', async () => {
-            vi.mocked(MCPOAuthTokenStorage.getToken).mockResolvedValue(null);
-            const result = await MCPOAuthProvider.getValidToken('test-server', mockConfig);
+            const tokenStorage = new MCPOAuthTokenStorage();
+            vi.mocked(tokenStorage.getCredentials).mockResolvedValue(null);
+            const authProvider = new MCPOAuthProvider();
+            const result = await authProvider.getValidToken('test-server', mockConfig);
             expect(result).toBeNull();
         });
         it('should handle refresh failure and remove invalid token', async () => {
@@ -477,19 +830,21 @@ describe('MCPOAuthProvider', () => {
                 tokenUrl: 'https://auth.example.com/token',
                 updatedAt: Date.now(),
             };
-            vi.mocked(MCPOAuthTokenStorage.getToken).mockResolvedValue(expiredCredentials);
-            vi.mocked(MCPOAuthTokenStorage.isTokenExpired).mockReturnValue(true);
-            vi.mocked(MCPOAuthTokenStorage.removeToken).mockResolvedValue(undefined);
+            const tokenStorage = new MCPOAuthTokenStorage();
+            vi.mocked(tokenStorage.getCredentials).mockResolvedValue(expiredCredentials);
+            vi.mocked(tokenStorage.isTokenExpired).mockReturnValue(true);
+            vi.mocked(tokenStorage.deleteCredentials).mockResolvedValue(undefined);
             mockFetch.mockResolvedValueOnce(createMockResponse({
                 ok: false,
                 status: 400,
                 contentType: 'application/x-www-form-urlencoded',
                 text: 'error=invalid_request&error_description=Invalid refresh token',
             }));
-            const result = await MCPOAuthProvider.getValidToken('test-server', mockConfig);
+            const authProvider = new MCPOAuthProvider();
+            const result = await authProvider.getValidToken('test-server', mockConfig);
             expect(result).toBeNull();
-            expect(MCPOAuthTokenStorage.removeToken).toHaveBeenCalledWith('test-server');
-            expect(console.error).toHaveBeenCalledWith(expect.stringContaining('Failed to refresh token'));
+            expect(tokenStorage.deleteCredentials).toHaveBeenCalledWith('test-server');
+            expect(coreEvents.emitFeedback).toHaveBeenCalledWith('error', expect.stringContaining('Failed to refresh auth token'), expect.any(Error));
         });
         it('should return null for token without refresh capability', async () => {
             const tokenWithoutRefresh = {
@@ -503,9 +858,11 @@ describe('MCPOAuthProvider', () => {
                 tokenUrl: 'https://auth.example.com/token',
                 updatedAt: Date.now(),
             };
-            vi.mocked(MCPOAuthTokenStorage.getToken).mockResolvedValue(tokenWithoutRefresh);
-            vi.mocked(MCPOAuthTokenStorage.isTokenExpired).mockReturnValue(true);
-            const result = await MCPOAuthProvider.getValidToken('test-server', mockConfig);
+            const tokenStorage = new MCPOAuthTokenStorage();
+            vi.mocked(tokenStorage.getCredentials).mockResolvedValue(tokenWithoutRefresh);
+            vi.mocked(tokenStorage.isTokenExpired).mockReturnValue(true);
+            const authProvider = new MCPOAuthProvider();
+            const result = await authProvider.getValidToken('test-server', mockConfig);
             expect(result).toBeNull();
         });
     });
@@ -537,7 +894,8 @@ describe('MCPOAuthProvider', () => {
                 text: JSON.stringify(mockTokenResponse),
                 json: mockTokenResponse,
             }));
-            await MCPOAuthProvider.authenticate('test-server', mockConfig);
+            const authProvider = new MCPOAuthProvider();
+            await authProvider.authenticate('test-server', mockConfig);
             expect(crypto.randomBytes).toHaveBeenCalledWith(32); // code verifier
             expect(crypto.randomBytes).toHaveBeenCalledWith(16); // state
             expect(crypto.createHash).toHaveBeenCalledWith('sha256');
@@ -575,7 +933,8 @@ describe('MCPOAuthProvider', () => {
                 text: JSON.stringify(mockTokenResponse),
                 json: mockTokenResponse,
             }));
-            await MCPOAuthProvider.authenticate('test-server', mockConfig, 'https://auth.example.com');
+            const authProvider = new MCPOAuthProvider();
+            await authProvider.authenticate('test-server', mockConfig, 'https://auth.example.com');
             expect(capturedUrl).toBeDefined();
             expect(capturedUrl).toContain('response_type=code');
             expect(capturedUrl).toContain('client_id=test-client-id');
@@ -620,7 +979,8 @@ describe('MCPOAuthProvider', () => {
                 ...mockConfig,
                 authorizationUrl: 'https://auth.example.com/authorize?audience=1234',
             };
-            await MCPOAuthProvider.authenticate('test-server', configWithParamsInUrl);
+            const authProvider = new MCPOAuthProvider();
+            await authProvider.authenticate('test-server', configWithParamsInUrl);
             const url = new URL(capturedUrl);
             expect(url.searchParams.get('audience')).toBe('1234');
             expect(url.searchParams.get('client_id')).toBe('test-client-id');
@@ -661,12 +1021,194 @@ describe('MCPOAuthProvider', () => {
                 ...mockConfig,
                 authorizationUrl: 'https://auth.example.com/authorize#login',
             };
-            await MCPOAuthProvider.authenticate('test-server', configWithFragment);
+            const authProvider = new MCPOAuthProvider();
+            await authProvider.authenticate('test-server', configWithFragment);
             const url = new URL(capturedUrl);
             expect(url.searchParams.get('client_id')).toBe('test-client-id');
             expect(url.hash).toBe('#login');
             expect(url.pathname).toBe('/authorize');
         });
+        it('should use user-configured scopes over discovered scopes', async () => {
+            let capturedUrl;
+            mockOpenBrowserSecurely.mockImplementation((url) => {
+                capturedUrl = url;
+                return Promise.resolve();
+            });
+            const configWithUserScopes = {
+                ...mockConfig,
+                clientId: 'test-client-id',
+                clientSecret: 'test-client-secret',
+                scopes: ['user-scope'],
+            };
+            delete configWithUserScopes.authorizationUrl;
+            delete configWithUserScopes.tokenUrl;
+            const mockResourceMetadata = {
+                authorization_servers: ['https://discovered.auth.com'],
+            };
+            const mockAuthServerMetadata = {
+                authorization_endpoint: 'https://discovered.auth.com/authorize',
+                token_endpoint: 'https://discovered.auth.com/token',
+                scopes_supported: ['discovered-scope'],
+            };
+            mockFetch
+                .mockResolvedValueOnce(createMockResponse({ ok: true, status: 200 }))
+                .mockResolvedValueOnce(createMockResponse({
+                ok: true,
+                contentType: 'application/json',
+                text: JSON.stringify(mockResourceMetadata),
+                json: mockResourceMetadata,
+            }))
+                .mockResolvedValueOnce(createMockResponse({
+                ok: true,
+                contentType: 'application/json',
+                text: JSON.stringify(mockAuthServerMetadata),
+                json: mockAuthServerMetadata,
+            }));
+            // Setup callback handler
+            let callbackHandler;
+            vi.mocked(http.createServer).mockImplementation((handler) => {
+                callbackHandler = handler;
+                return mockHttpServer;
+            });
+            mockHttpServer.listen.mockImplementation((port, callback) => {
+                callback?.();
+                setTimeout(() => {
+                    const mockReq = {
+                        url: '/oauth/callback?code=auth_code&state=bW9ja19zdGF0ZV8xNl9ieXRlcw',
+                    };
+                    const mockRes = { writeHead: vi.fn(), end: vi.fn() };
+                    callbackHandler(mockReq, mockRes);
+                }, 10);
+            });
+            // Mock token exchange
+            mockFetch.mockResolvedValueOnce(createMockResponse({
+                ok: true,
+                contentType: 'application/json',
+                text: JSON.stringify(mockTokenResponse),
+                json: mockTokenResponse,
+            }));
+            const authProvider = new MCPOAuthProvider();
+            await authProvider.authenticate('test-server', configWithUserScopes, 'https://api.example.com');
+            expect(capturedUrl).toBeDefined();
+            const url = new URL(capturedUrl);
+            expect(url.searchParams.get('scope')).toBe('user-scope');
+        });
+        it('should use discovered scopes when no user-configured scopes are provided', async () => {
+            let capturedUrl;
+            mockOpenBrowserSecurely.mockImplementation((url) => {
+                capturedUrl = url;
+                return Promise.resolve();
+            });
+            const configWithoutScopes = {
+                ...mockConfig,
+                clientId: 'test-client-id',
+                clientSecret: 'test-client-secret',
+            };
+            delete configWithoutScopes.scopes;
+            delete configWithoutScopes.authorizationUrl;
+            delete configWithoutScopes.tokenUrl;
+            const mockResourceMetadata = {
+                authorization_servers: ['https://discovered.auth.com'],
+            };
+            const mockAuthServerMetadata = {
+                authorization_endpoint: 'https://discovered.auth.com/authorize',
+                token_endpoint: 'https://discovered.auth.com/token',
+                scopes_supported: ['discovered-scope-1', 'discovered-scope-2'],
+            };
+            mockFetch
+                .mockResolvedValueOnce(createMockResponse({ ok: true, status: 200 }))
+                .mockResolvedValueOnce(createMockResponse({
+                ok: true,
+                contentType: 'application/json',
+                text: JSON.stringify(mockResourceMetadata),
+                json: mockResourceMetadata,
+            }))
+                .mockResolvedValueOnce(createMockResponse({
+                ok: true,
+                contentType: 'application/json',
+                text: JSON.stringify(mockAuthServerMetadata),
+                json: mockAuthServerMetadata,
+            }));
+            // Setup callback handler
+            let callbackHandler;
+            vi.mocked(http.createServer).mockImplementation((handler) => {
+                callbackHandler = handler;
+                return mockHttpServer;
+            });
+            mockHttpServer.listen.mockImplementation((port, callback) => {
+                callback?.();
+                setTimeout(() => {
+                    const mockReq = {
+                        url: '/oauth/callback?code=auth_code&state=bW9ja19zdGF0ZV8xNl9ieXRlcw',
+                    };
+                    const mockRes = { writeHead: vi.fn(), end: vi.fn() };
+                    callbackHandler(mockReq, mockRes);
+                }, 10);
+            });
+            // Mock token exchange
+            mockFetch.mockResolvedValueOnce(createMockResponse({
+                ok: true,
+                contentType: 'application/json',
+                text: JSON.stringify(mockTokenResponse),
+                json: mockTokenResponse,
+            }));
+            const authProvider = new MCPOAuthProvider();
+            await authProvider.authenticate('test-server', configWithoutScopes, 'https://api.example.com');
+            expect(capturedUrl).toBeDefined();
+            const url = new URL(capturedUrl);
+            expect(url.searchParams.get('scope')).toBe('discovered-scope-1 discovered-scope-2');
+        });
+    });
+    describe('issuer discovery conformance', () => {
+        const registrationMetadata = {
+            issuer: 'http://localhost:8888/realms/my-realm',
+            authorization_endpoint: 'http://localhost:8888/realms/my-realm/protocol/openid-connect/auth',
+            token_endpoint: 'http://localhost:8888/realms/my-realm/protocol/openid-connect/token',
+            registration_endpoint: 'http://localhost:8888/realms/my-realm/clients-registrations/openid-connect',
+        };
+        it('falls back to path-based issuer when origin discovery fails', async () => {
+            const authProvider = new MCPOAuthProvider();
+            const providerWithAccess = authProvider;
+            vi.spyOn(OAuthUtils, 'discoverAuthorizationServerMetadata').mockImplementation(async (issuer) => {
+                if (issuer === 'http://localhost:8888/realms/my-realm') {
+                    return registrationMetadata;
+                }
+                return null;
+            });
+            const result = await providerWithAccess.discoverAuthServerMetadataForRegistration('http://localhost:8888/realms/my-realm/protocol/openid-connect/auth');
+            expect(vi.mocked(OAuthUtils.discoverAuthorizationServerMetadata).mock.calls).toEqual([
+                ['http://localhost:8888'],
+                ['http://localhost:8888/realms/my-realm'],
+            ]);
+            expect(result.issuerUrl).toBe('http://localhost:8888/realms/my-realm');
+            expect(result.metadata).toBe(registrationMetadata);
+        });
+        it('trims versioned segments from authorization endpoints', async () => {
+            const authProvider = new MCPOAuthProvider();
+            const providerWithAccess = authProvider;
+            const oktaMetadata = {
+                issuer: 'https://auth.okta.local/oauth2/default',
+                authorization_endpoint: 'https://auth.okta.local/oauth2/default/v1/authorize',
+                token_endpoint: 'https://auth.okta.local/oauth2/default/v1/token',
+                registration_endpoint: 'https://auth.okta.local/oauth2/default/v1/register',
+            };
+            const attempts = [];
+            vi.spyOn(OAuthUtils, 'discoverAuthorizationServerMetadata').mockImplementation(async (issuer) => {
+                attempts.push(issuer);
+                if (issuer === 'https://auth.okta.local/oauth2/default') {
+                    return oktaMetadata;
+                }
+                return null;
+            });
+            const result = await providerWithAccess.discoverAuthServerMetadataForRegistration('https://auth.okta.local/oauth2/default/v1/authorize');
+            expect(attempts).toEqual([
+                'https://auth.okta.local',
+                'https://auth.okta.local/oauth2/default/v1',
+                'https://auth.okta.local/oauth2/default',
+            ]);
+            expect(result.issuerUrl).toBe('https://auth.okta.local/oauth2/default');
+            expect(result.metadata).toBe(oktaMetadata);
+        });
     });
 });
 //# sourceMappingURL=oauth-provider.test.js.map