add comment about www-authenticate

pcarleton · pcarleton · commit b0b0eaf5ab09 · 2025-11-09T19:22:12.000Z
diff --git a/src/scenarios/client/auth/basic-metadata-var1.ts b/src/scenarios/client/auth/basic-metadata-var1.ts
@@ -29,6 +29,12 @@ export class AuthBasicMetadataVar1Scenario implements Scenario {
       () => this.baseUrl,
       () => this.authBaseUrl,
       {
+        // TODO: this will put this path in the WWW-Authenticate header
+        // but RFC 9728 states that in that case, the resource in the PRM
+        // must match the URL used to make the request to the resource server.
+        // We'll need to establish an opinion on whether that means the
+        // URL for the metadata fetch, or the URL for the MCP endpoint,
+        // or more generally what are the valid scenarios / combos.
         prmPath: '/.well-known/oauth-protected-resource'
       }
     );

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,12 @@ export class AuthBasicMetadataVar1Scenario implements Scenario {`
`29`	`29`	`() => this.baseUrl,`
`30`	`30`	`() => this.authBaseUrl,`
`31`	`31`	`{`
	`32`	`+ // TODO: this will put this path in the WWW-Authenticate header`
	`33`	`+ // but RFC 9728 states that in that case, the resource in the PRM`
	`34`	`+ // must match the URL used to make the request to the resource server.`
	`35`	`+ // We'll need to establish an opinion on whether that means the`
	`36`	`+ // URL for the metadata fetch, or the URL for the MCP endpoint,`
	`37`	`+ // or more generally what are the valid scenarios / combos.`
`32`	`38`	`prmPath: '/.well-known/oauth-protected-resource'`
`33`	`39`	`}`
`34`	`40`	`);`