MCP oauth-authorization-server metadata override

[logan-hcg]

In the current implementation, the authorization_endpoint is generated based on the current request hostname and protocol:

litellm/litellm/proxy/_experimental/mcp_server/discoverable_endpoints.py

Lines 332 to 336 in 97d9da9

	authorization_endpoint = (
	f"{request_base_url}/{mcp_server_name}/authorize"
	if mcp_server_name
	else f"{request_base_url}/authorize"
	)

This works in most cases, but I have a somewhat unique situation where the client is communicating with litellm over an internal domain name (eg http://litellm.svc.cluster.local), but the "User-Agent" will access the authorization endpoint from a public name (eg https://litellm.example.com). I do this for two reasons:

1. so client/MCP server communication is routed only over the private network
2. so that only very specific litellm routes (eg <mcp>/authorize) are allowed via the "public name" proxy (for security reasons)

What about implementing an optional setting similar to PROXY_BASE_URL (

litellm/litellm/types/proxy/management_endpoints/ui_sso.py

Lines 115 to 118 in 97d9da9

	proxy_base_url: Optional[str] = Field(
	default=None,
	description="Base URL of the proxy server for SSO redirects",
	)

) that is used for UI SSO to allow overriding portions of the discovery document?

[ishaan-jaff]

@uc4w6c can you look into this, what do you think of this ?