feat: support discovery config for lazy metadata fetching

[xiaoyijun]

Summary

Add support for discovery config (AuthServerDiscoveryConfig) that allows lazy metadata fetching. This is especially useful for edge runtimes like Cloudflare Workers where top-level async fetch is not allowed.

Changes

• New types: ResolvedAuthServerConfig (with metadata) and AuthServerDiscoveryConfig (issuer + type only), unified as AuthServerConfig
• New class: AuthServerMetadataCache with two-layer caching (valueCache + promiseCache) to prevent duplicate concurrent requests
• Updated handlers: TokenVerifier and AuthorizationServerHandler now support both config types
• Validation: Discovery configs are validated after metadata is fetched

Usage

// Discovery config - metadata fetched on-demand
const mcpAuth = new MCPAuth({
  protectedResources: [{
    metadata: {
      resource: 'https://api.example.com',
      authorizationServers: [{ issuer: 'https://auth.logto.io/oidc', type: 'oidc' }],
    },
  }],
});

// Resolved config - pre-fetched metadata (existing behavior)
const authServerConfig = await fetchServerConfig('https://auth.logto.io/oidc', { type: 'oidc' });
const mcpAuth = new MCPAuth({
  protectedResources: [{
    metadata: {
      resource: 'https://api.example.com',
      authorizationServers: [authServerConfig],
    },
  }],
});

Testing

unit tests

Checklist

• .changeset
• unit tests
• integration tests
• necessary TSDoc comments

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!