Walk the OAuth discovery chain starting from an agent URL. Returns
AuthorizationRequirements when the agent demands OAuth, or null when a
tools/list call succeeds without credentials.
Strategy:
POST tools/list to the agent with no Authorization header.
If 401 + WWW-Authenticate: Bearer: parse the challenge.
If the challenge carries resource_metadata=…: GET it and read
resource + authorization_servers.
For the first authorization_servers[0]: GET /.well-known/oauth-authorization-server
and read authorization_endpoint, token_endpoint, registration_endpoint,
scopes_supported.
Return a structured record.
Anything missing from the chain surfaces as undefined on the result —
callers can still present a partial picture without re-probing.
Walk the OAuth discovery chain starting from an agent URL. Returns
AuthorizationRequirementswhen the agent demands OAuth, ornullwhen atools/listcall succeeds without credentials.Strategy:
tools/listto the agent with noAuthorizationheader.WWW-Authenticate: Bearer: parse the challenge.resource_metadata=…: GET it and readresource+authorization_servers.authorization_servers[0]: GET/.well-known/oauth-authorization-serverand readauthorization_endpoint,token_endpoint,registration_endpoint,scopes_supported.Anything missing from the chain surfaces as
undefinedon the result — callers can still present a partial picture without re-probing.