feat: add external auth server example (RFC 8707)

[travisbreaks]

Summary

Closes #658.

Adds a complete external authentication server example demonstrating RFC 8707 resource indicators with the MCP SDK. The example shows how to separate the authorization server from the MCP resource server, which is the recommended pattern for production deployments.

What's included:

• Authorization server (authServer.ts): standalone OAuth2 AS with RSA key pair generation, JWKS endpoint, dynamic client registration, PKCE validation, and JWT access tokens with audience-bound claims
• Resource server (resourceServer.ts): MCP server that serves protected resource metadata, validates JWT Bearer tokens via remote JWKS, and exposes authenticated tools (greet, whoami)
• Client (externalAuthServerClient.ts): demonstrates the full OAuth flow (401 challenge, resource/AS metadata discovery, dynamic registration, authorization, token exchange)
• README with architecture diagram, RFC references, and comparison with the existing --oauth example

Test plan

• Start auth server and resource server independently
• Run client, verify full OAuth2 flow completes
• Verify JWT audience binding matches resource URL
• Verify JWKS-based token validation works

[changeset-bot]

⚠️ No Changeset found

Latest commit: 9efa772

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1693

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1693

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1693

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1693

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1693

commit: ca06ce9

[felixweinberger]

Thanks for this. We already have a better-auth example at examples/shared/src/auth.ts, and the migration guide recommends using a dedicated auth library rather than building one from scratch. Adding a 500+ line DIY OAuth server example sends the opposite message. If there's something specific about RFC 8707 resource indicators that the better-auth example doesn't cover, happy to take a smaller addition there. Closing.