🐞 Bug Summary

When a virtual server is set to visibility=team (or private) and oauth_enabled=true, the MCP endpoint tells the client to fetch OAuth protected resource metadata using the resource_metadata value in the WWW-Authenticate header.

But when the client tries to fetch that metadata URL, Context Forge returns 404 Server not found unless the virtual server is public.

This seems to break the normal OAuth discovery flow for clients that rely on RFC 9728 / MCP OAuth discovery, because the server advertises a metadata URL that is not actually reachable for team/private servers.

🧩 Affected Component

• mcpgateway - API

🔁 Steps to Reproduce

1. Create a virtual server with:
   • visibility=team
   • enabled=true
   • oauth_enabled=true
   • valid oauth_config.authorization_servers
2. Access the MCP endpoint without authentication:
   • GET /servers/{server_id}/mcp
3. Observe the response:
   • 401 Unauthorized
   • WWW-Authenticate: Bearer resource_metadata="https://<host>/.well-known/oauth-protected-resource/servers/{server_id}/mcp"
4. Fetch that resource_metadata URL
5. Observe that it returns:
   • 404 Server not found
6. Change the same virtual server to visibility=public
7. Fetch the same metadata URL again
8. Observe that it now works

🤔 Expected Behavior

If a virtual server is oauth_enabled=true and the MCP endpoint advertises a resource_metadata URL, that metadata URL should be reachable even for team or private servers.

The metadata response should only expose the OAuth discovery information needed by the client, for example:

• resource
• authorization_servers
• supported scopes / bearer methods

It should not make the server, tools, prompts, or resources public.

The actual MCP endpoint (/servers/{server_id}/mcp) should still continue to enforce:

• OAuth authentication
• normal user/team/private authorization rules

📓 Actual Behavior

Right now, the OAuth-enabled team/private virtual server advertises a resource_metadata URL, but that URL returns 404 because the metadata endpoint only allows public servers.

So from the client point of view:

• the server says “use this metadata URL to discover OAuth”
• but the metadata URL is not accessible

This makes the OAuth discovery flow fail for team/private virtual servers.

📓 Logs / Error Output

Example pattern:

• MCP endpoint returns:

401 Unauthorized
WWW-Authenticate: Bearer resource_metadata="https://<host>/.well-known/oauth-protected-resource/servers/<server_id>/mcp"

• Metadata request returns:

404 Server not found

🧠 Environment Info

🧩 Additional Context