fix: retry next endpoint on CORS error during auth server discovery (modelcontextprotocol#827)

Author: xiaoyijun

src/client/auth.test.ts

@@ -899,6 +899,18 @@ describe("OAuth Authorization", () => {
  "MCP-Protocol-Version": "2025-01-01"
  });
  });
+
+ it("returns undefined when all URLs fail with CORS errors", async () => {
+ // All fetch attempts fail with CORS errors (TypeError)
+ mockFetch.mockImplementation(() => Promise.reject(new TypeError("CORS error")));
+
+ const metadata = await discoverAuthorizationServerMetadata("https://auth.example.com/tenant1");
+
+ expect(metadata).toBeUndefined();
+ 
+ // Verify that all discovery URLs were attempted
+ expect(mockFetch).toHaveBeenCalledTimes(8); // 4 URLs × 2 attempts each (with and without headers)
+ });
  });
 
  describe("startAuthorization", () => {

src/client/auth.ts

@@ -758,7 +758,11 @@ export async function discoverAuthorizationServerMetadata(
  const response = await fetchWithCorsRetry(endpointUrl, headers, fetchFn);
 
  if (!response) {
- throw new Error(`CORS error trying to load ${type === 'oauth' ? 'OAuth' : 'OpenID provider'} metadata from ${endpointUrl}`);
+ /**
+ * CORS error occurred - don't throw as the endpoint may not allow CORS,
+ * continue trying other possible endpoints
+ */
+ continue;
  }
 
  if (!response.ok) {