fix(mcp): support OAuth for servers without RFC 8414 discovery

[yanniznik]

Issue for this PR

Closes #26195

Type of change

• Bug fix
• New feature
• Refactor / code improvement
• Documentation

What does this PR do?

MCP servers like Google's Workspace endpoints don't implement RFC 8414 (.well-known/oauth-authorization-server) discovery. The MCP SDK already supports a discoveryState() hook on OAuthClientProvider to supply pre-cached authorization metadata, but OpenCode never implemented it.

This adds authorizationEndpoint and tokenEndpoint fields to the OAuth config schema. When set, McpOAuthProvider.discoveryState() returns a synthetic discovery state so the SDK skips its failing RFC 8414 fetch and uses the configured endpoints directly.

There's also a fallback in startAuth(): if a server accepts unauthenticated connections (no UnauthorizedError) but has explicit OAuth endpoints configured and no stored tokens, we proactively trigger the OAuth flow via the SDK's auth() function. Without this, opencode mcp auth <name> would report success without ever opening the browser.

Example config:

{
  "mcp": {
    "google-calendar": {
      "type": "remote",
      "url": "https://calendar.googleapis.com/mcp",
      "oauth": {
        "clientId": "...",
        "clientSecret": "...",
        "authorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
        "tokenEndpoint": "https://oauth2.googleapis.com/token"
      }
    }
  }
}

How did you verify your code works?

• Added 2 tests for discoveryState() in oauth-auto-connect.test.ts (returns metadata when endpoints configured, returns undefined when not)
• TypeScript build passes (npx tsc --noEmit)
• Manually verified end-to-end with Google People, Gmail, Calendar, and Drive MCP servers

Screenshots / recordings

N/A — no UI changes.

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR

[github-actions]

The following comment was made by an LLM, it may be inaccurate:

Potential Related PR Found

PR #26236: fix: force OAuth flow when server accepts unauthenticated connections
#26236

Why it's related: This PR appears to address a closely related concern mentioned in the current PR's description. PR #27068 includes a fallback mechanism in startAuth() to "proactively trigger the OAuth flow via the SDK's auth() function" when a server accepts unauthenticated connections but has explicit OAuth endpoints configured. PR #26236 seems to tackle the same problem space around forcing OAuth flows for such scenarios.

These two PRs likely overlap in scope and should be reviewed together to ensure they're compatible and not duplicating effort.

[github-actions]

Automated PR Cleanup

Thank you for contributing to opencode.

Due to the high volume of PRs from users and AI agents, we periodically close older PRs using automated criteria so maintainers can focus review time on the most active and community-supported contributions.

This PR was closed because it matched the following cleanup criteria:

• The PR was created more than 1 month ago
• The PR had fewer than 2 positive reactions
• Positive reactions are counted as thumbs-up, heart, celebration, or rocket reactions on the PR

PRs created within the last month are not affected by this cleanup.

If you believe this PR was closed incorrectly, or if you are still actively working on it, please leave a comment explaining why it should be reopened. A maintainer can review and reopen it if appropriate.

Thanks again for taking the time to contribute.