NullReferenceException when openID configuration does not contain authorization and/or token endpoints.

[S-Luiten]

Describe the bug
When using an OAuth authorization server which does not include an authorization endpoint in its .well-known/openid-configuration (for example github), a NullReferenceException is thrown in BuildAuthorizationUrl by trying to access authServerMetadata.AuthorizationEndpoint.Scheme.

[halter73]

Thanks for the report. I definitely think we need to produce a better error than a NullReferenceException in this case. I just pushed this commit to a PR I have open to give a better exception message.

However, I don't think we can make work unless we can get the authorization endpoint from somewhere. If we were to give you the ability to hard-code this endpoint similar to the way you can hard-code the client ID via something ClientOAuthOptions.AuthorizationEndpoint, would this be enough to fix your scenario? Or does using GitHub as an OAuth server provide additional challenges?

The ultimate escape hatch is to pass in your own HttpClient via the SseClientTransport constructor with the access token preconfigured, but I'd like to support as many OAuth servers as possible using plain ClientOAuthOptions.

Edit: Looking at ASP.NET Core's GitHubAuthenticationOptions, it looks like we'd need to allow you to specify the token endpoint as well. Ultimately, I think github will need to provide the appropriate metadata via a .well-known endpoint described by RFC 8414 as suggested in https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization

authorization_endpoint
URL of the authorization server's authorization endpoint
[RFC6749]. This is REQUIRED unless no grant types are supported
that use the authorization endpoint.

https://datatracker.ietf.org/doc/html/rfc8414

[S-Luiten]

@halter73 To be honest I don't really need to get github working as auth server, I only tried to get it working because vscode has built-in support for github and microsoft entra authentication, and since I couldn't get my company's auth server to work I tried using these. In the case of github, even if you hardcode or pass the urls manually, you still run into other issues, like how the token endpoint returns "application/x-www-form-urlencoded" instead of json, and even if you take care of that you run into a token validation exception. I'm still not sure how to fix that last part.