Add check for PKCE of authorization server metadata

[tnorimat]

Background

The issue is adding MUST requrement check.

The MCP specification 2025-11-25 says that:

MCP clients MUST use the S256 code challenge method when technically capable, as required by OAuth 2.1 Section 4.1.1.
Since OAuth 2.1 and PKCE specifications do not define a mechanism for clients to discover PKCE support, MCP clients MUST rely on authorization server metadata to verify this capability:

• OAuth 2.0 Authorization Server Metadata: If code_challenge_methods_supported is absent, the authorization server does not support PKCE and MCP clients MUST refuse to proceed.
• OpenID Connect Discovery 1.0: While the OpenID Provider Metadata does not define code_challenge_methods_supported, this field is commonly included by OpenID providers. MCP clients MUST verify the presence of code_challenge_methods_supported in the provider metadata response. If the field is absent, MCP clients MUST refuse to proceed.

Authorization servers providing OpenID Connect Discovery 1.0 MUST include code_challenge_methods_supported in their metadata to ensure MCP compatibility.

Therefore, the conformance test for authorization server must check whether the server metadata includes code_challenge_methods_supported and its values includes S256. However, the conformance test for authorization server metadata (#170) does not check that.

Solution

Adding the following checks do the conformance test for authorization server metadata (#170):

• check if the server metadata includes code_challenge_methods_supported, if not, the test fails.
• next, check if the code_challenge_methods_supported value includesS256. If not, the test fails.

[tnorimat]

@pcarleton Hello, if the issue makes sense, could you assign me to the issue? I cannot assign myself to the issue.