all: stabilize client OAuth support (#861)

Also fix lint errors that were hidden because of the build tag.

Author: maciej-kisiel

.github/workflows/conformance.yml

@@ -50,7 +50,7 @@ jobs:
         uses: modelcontextprotocol/conformance@a2855b03582a6c0b31065ad4d9af248316ce61a3 # v0.1.15
         with:
           mode: client 
-          command: go run -tags mcp_go_client_oauth ./conformance/everything-client
+          command: go run ./conformance/everything-client
           suite: core
           expected-failures: ./conformance/baseline.yml
           node-version: 22

auth/authorization_code.go

@@ -2,8 +2,6 @@
 // Use of this source code is governed by the license
 // that can be found in the LICENSE file.
 
-//go:build mcp_go_client_oauth
-
 package auth
 
 import (
@@ -142,7 +140,7 @@ func NewAuthorizationCodeHandler(config *AuthorizationCodeHandlerConfig) (*Autho
 	dCfg := config.DynamicClientRegistrationConfig
 	if dCfg != nil {
 		if dCfg.Metadata == nil {
-			return nil, errors.New("Metadata is required for dynamic client registration")
+			return nil, errors.New("dynamic client registration requires non-nil Metadata")
 		}
 		if len(dCfg.Metadata.RedirectURIs) == 0 {
 			return nil, errors.New("Metadata.RedirectURIs is required for dynamic client registration")
@@ -283,17 +281,14 @@ func errorFromChallenges(cs []oauthex.Challenge) string {
 // If no metadata was found or the fetched metadata fails security checks,
 // it returns an error.
 func (h *AuthorizationCodeHandler) getProtectedResourceMetadata(ctx context.Context, wwwChallenges []oauthex.Challenge, mcpServerURL string) (*oauthex.ProtectedResourceMetadata, error) {
-	var errs []error
 	// Use MCP server URL as the resource URI per
 	// https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#canonical-server-uri.
 	for _, url := range protectedResourceMetadataURLs(resourceMetadataURLFromChallenges(wwwChallenges), mcpServerURL) {
 		prm, err := oauthex.GetProtectedResourceMetadata(ctx, url.URL, url.Resource, h.config.Client)
 		if err != nil {
-			errs = append(errs, err)
 			continue
 		}
 		if prm == nil {
-			errs = append(errs, fmt.Errorf("protected resource metadata is nil"))
 			continue
 		}
 		if len(prm.AuthorizationServers) == 0 {

auth/authorization_code_test.go

@@ -2,8 +2,6 @@
 // Use of this source code is governed by the license
 // that can be found in the LICENSE file.
 
-//go:build mcp_go_client_oauth
-
 package auth
 
 import (

auth/client_private.go

@@ -5,8 +5,6 @@
 // Package extauth provides OAuth handler implementations for MCP authorization extensions.
 // This package implements Enterprise Managed Authorization as defined in SEP-990.
 
-//go:build mcp_go_client_oauth
-
 package extauth
 
 import (

auth/client_test.go

@@ -2,8 +2,6 @@
 // Use of this source code is governed by an MIT-style
 // license that can be found in the LICENSE file.
 
-//go:build mcp_go_client_oauth
-
 package extauth
 
 import (

auth/extauth/enterprise_handler.go

@@ -6,8 +6,6 @@
 // as part of Enterprise Managed Authorization (SEP-990).
 // See https://openid.net/specs/openid-connect-core-1_0.html
 
-//go:build mcp_go_client_oauth
-
 package extauth
 
 import (
@@ -121,11 +119,11 @@ func initiateOIDCLogin(
 		return nil, nil, fmt.Errorf("RedirectURL is required")
 	}
 	if len(config.Scopes) == 0 {
-		return nil, nil, fmt.Errorf("Scopes is required (must include 'openid')")
+		return nil, nil, fmt.Errorf("at least one scope is required (must include 'openid')")
 	}
 
 	if !slices.Contains(config.Scopes, "openid") {
-		return nil, nil, fmt.Errorf("Scopes must include 'openid' for OIDC")
+		return nil, nil, fmt.Errorf("the 'openid' scope is required for OIDC")
 	}
 
 	if err := checkURLScheme(config.IssuerURL); err != nil {