OAuth 2.0 authorization flow

[sveneld]

Motivation and Context

This pull request is a draft implementation of oAuth authorization. Its purpose is to outline the general approach, structure, and integration points for further discussion and iteration. At this stage, it is not intended to be a final solution, but rather a starting point for aligning on the overall direction.

How Has This Been Tested?

I attempted to test the Microsoft oAuth authorization flow using npx @modelcontextprotocol/inspector.

However, due to a known authorization bug in the MCP Inspector, the authorization process cannot be completed successfully at the moment. This issue prevents full end-to-end testing via the Inspector (see modelcontextprotocol/inspector#927).

Breaking Changes

No breaking changes are introduced. Existing functionality remains unaffected, and no updates to user code or configuration are required.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• [] I have read the MCP Documentation
• [] My code follows the repository's style guidelines
• New and existing tests pass locally
• [] I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

This pull request is intentionally a draft and is primarily meant to facilitate discussion around the oAuth authorization approach and architecture. The implementation may change significantly based on feedback before moving toward a final version.