fix: expose OAuth metadata for private servers

Signed-off-by: darrenhalden537-lang <291019754+darrenhalden537-lang@users.noreply.github.com>

Author: darrenhalden537-lang

mcpgateway/services/server_service.py

@@ -1970,19 +1970,23 @@ def get_oauth_protected_resource_metadata(self, db: Session, server_id: str, res
         """
         server = db.get(DbServer, server_id)
 
-        # Return not found for non-existent, disabled, or non-public servers
-        # (avoids leaking information about private/team servers)
+        # Return not found for non-existent or disabled servers.
         if not server:
             raise ServerNotFoundError(f"Server not found: {server_id}")
 
         if not server.enabled:
             raise ServerNotFoundError(f"Server not found: {server_id}")
 
-        if getattr(server, "visibility", "public") != "public":
+        # RFC 9728 metadata is intentionally unauthenticated discovery material.
+        # OAuth-enabled private/team servers advertise this URL from /servers/{id}/mcp;
+        # let those clients fetch only the non-secret authorization metadata while
+        # keeping non-OAuth private/team servers hidden.
+        oauth_enabled = getattr(server, "oauth_enabled", False)
+        if getattr(server, "visibility", "public") != "public" and not oauth_enabled:
             raise ServerNotFoundError(f"Server not found: {server_id}")
 
         # Check OAuth configuration
-        if not getattr(server, "oauth_enabled", False):
+        if not oauth_enabled:
             raise ServerError(f"OAuth not enabled for server: {server_id}")
 
         oauth_config = getattr(server, "oauth_config", None)

tests/e2e/test_oauth_protected_resource.py

@@ -306,8 +306,8 @@ async def test_server_with_oauth_disabled_returns_404(self, client: AsyncClient)
         assert response.status_code == 404
         assert "OAuth not enabled" in response.json()["detail"]
 
-    async def test_private_server_returns_404(self, client: AsyncClient):
-        """Scenario 4: Server with visibility="private" (non-public) returns 404."""
+    async def test_private_server_with_oauth_enabled_returns_metadata(self, client: AsyncClient):
+        """Scenario 4: OAuth-enabled private servers expose only RFC 9728 metadata."""
         server_id = await self._create_server(
             client,
             {
@@ -318,15 +318,41 @@ async def test_private_server_returns_404(self, client: AsyncClient):
                     "oauth_enabled": True,
                     "oauth_config": {
                         "authorization_server": "https://idp.example.com",
+                        "token_endpoint": "https://idp.example.com/oauth/token",
+                        "client_secret": "must-not-be-exposed",
                     },
                 },
                 "team_id": None,
             },
         )
 
+        response = await client.get(f"/.well-known/oauth-protected-resource/servers/{server_id}/mcp")
+        assert response.status_code == 200
+
+        data = response.json()
+        assert data["resource"] == f"http://test/servers/{server_id}/mcp"
+        assert data["authorization_servers"] == ["https://idp.example.com"]
+        assert data["bearer_methods_supported"] == ["header"]
+        # Only discovery metadata should be public; OAuth credentials/endpoints are not exposed.
+        assert "client_secret" not in data
+        assert "token_endpoint" not in data
+
+    async def test_private_server_without_oauth_still_returns_404(self, client: AsyncClient):
+        """Non-public servers without OAuth metadata remain hidden."""
+        server_id = await self._create_server(
+            client,
+            {
+                "server": {
+                    "name": "server_private_no_oauth",
+                    "description": "Private server without OAuth",
+                    "visibility": "private",
+                },
+                "team_id": None,
+            },
+        )
+
         response = await client.get(f"/.well-known/oauth-protected-resource/servers/{server_id}/mcp")
         assert response.status_code == 404
-        # Should not leak that the server exists (just "not found")
         assert "not found" in response.json()["detail"].lower()
 
     async def test_disabled_server_returns_404(self, client: AsyncClient):