Only use path-based discovery URLs from the authorization server to discover metadata

[roadmapper]

Use path-based discovery URLs from an authorization server discovered from /.well-known/oauth-protected-resource's authorization_servers value.

1. https://auth.example.com/.well-known/oauth-authorization-server/oauth
2. https://auth.example.com/oauth/.well-known/oauth-authorization-server
3. https://auth.example.com/.well-known/openid-configuration/oauth
4. https://auth.example.com/oauth/.well-known/openid-configuration
5. https://auth.example.com/.well-known/oauth-authorization-server

Motivation and Context

See #1069.
If the root URL contains an OAuth authorization server in addition to the path-based URL supplied from /.well-known/oauth-protected-resource, the incorrect authorization server is relied upon to continue the OAuth flow.

How Has This Been Tested?

Updated unit tests.

Breaking Changes

I do not believe so as the first choice has not been changed which means if no path is set, reading from https://auth.example.com/.well-known/oauth-authorization-server should work as expected.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

Is this behavior documented anywhere else?

[pcarleton]

left a comment on the issue #1069

Let's change the path-based URL list to just be:

• /.well-known/oauth-authorization-server${pathname}
• /.well-known/openid-configuration/${pathname}
• ${pathname}/.well-known/openid-configuration

And not have the root fallbacks.

[pcarleton]

LGTM, ty for this