fix(metadata): advertise refresh_token in grant_types_supported

[caiopavanelli]

Fixes #33

Summary

Discovery endpoints advertised only authorization_code in grant_types_supported, while /oauth/token already supports grant_type=refresh_token (since #17) and /oauth/register already lists both grant types. Conformant MCP clients skip silent token renewal when metadata omits refresh_token (RFC 8414).

This PR aligns all authorization-server metadata responses with the token endpoint and registration behavior.

Changes

• Add refresh_token to grant_types_supported in:
  • HandleMetadata (GET /oauth/metadata)
  • HandleOIDCDiscovery (GET /.well-known/openid-configuration)
  • GetAuthorizationServerMetadata() (native and proxy branches)

No changes to /oauth/token handlers or scope handling.

Testing

• go test ./... passes locally
• Manual: fetch /.well-known/openid-configuration (or proxy-mode MCP discovery) and confirm grant_types_supported includes refresh_token

Related

• Closes the discovery gap left after Support refresh tokens #17 / Support refresh tokens #18
• Downstream consumers can drop fork-only metadata patches once released

Summary by CodeRabbit

• New Features
  • OAuth/OIDC metadata responses now advertise support for the refresh token grant type in addition to authorization code grant type across all discovery endpoints.

[coderabbitai]

Warning

Review limit reached

@caiopavanelli, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 52 minutes and 46 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7127e254-ec4a-49a7-b1da-89684637cadd

📥 Commits

Reviewing files that changed from the base of the PR and between 0ea9d3e and 13b3569.

📒 Files selected for processing (1)

• metadata.go

Walkthrough

This PR updates all OAuth/OIDC metadata endpoints to advertise refresh_token as a supported grant type. The change updates four metadata response paths: the legacy MCP handler, the OIDC discovery endpoint, and both native and proxy modes of the authorization server metadata handler.

Changes

OAuth/OIDC Grant Types

Layer / File(s)	Summary
Grant types metadata updates metadata.go	HandleMetadata, HandleOIDCDiscovery, and GetAuthorizationServerMetadata (native and proxy modes) all now advertise refresh_token in addition to authorization_code in their grant_types_supported responses.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related issues

• tuannvm/oauth-mcp-proxy#33: Directly addressed by adding "refresh_token" to grant_types_supported across all metadata endpoints in metadata.go.

Possibly related PRs

• tuannvm/oauth-mcp-proxy#17: This PR advertises refresh_token support in OAuth metadata, complementing the implementation of grant_type=refresh_token handling in token requests.

Poem

🐰 A token refreshed, so clean and bright,
The metadata sings of grants in flight,
Four endpoints now declare with glee,
"Refresh me!" comes the jubilee,
OAuth's song, a rabbit's delight! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main change: adding refresh_token to grant_types_supported in metadata responses.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}