In the current specification, the expectation is that the MCP server will expose an OIDC metadata document that will provide information about the authentication. The client then uses that OIDC document to do the required auth dance.

Proposal

Instead, rely on WWW-Authenticate that the server can return to the client. On the initial handshake, the server should return a realm that can be used to construct the path to the discovery document (append .well-known/oauth-authorization-server, as documented in the spec), which can in turn help the client perform the authentication and acquire a token without talking to the MCP server at all.

This would also imply that clients are able to perform the auth code flow independently of the server, and once they have a token - pass it in the Bearer header.