From c5d5b3f3282bfe80b03d6f2b8b01960b6caf5c3d Mon Sep 17 00:00:00 2001
From: jh-block <jhugo@block.xyz>
Date: Thu, 16 Apr 2026 11:37:54 +0200
Subject: [PATCH] fix: treat resource metadata JSON parse failure as soft error

In fetch_resource_metadata_from_url, a JSON parse failure on the
response body caused a fatal AuthError::MetadataError, preventing
discover_metadata() from falling through to direct
.well-known/oauth-authorization-server discovery (Strategy B).

MCP servers that return HTTP 200 with non-JSON content (e.g. HTML)
at their base URL caused the OAuth flow to abort entirely, even
when the server had a valid .well-known/oauth-authorization-server
endpoint.

Return Ok(None) on parse failure, consistent with how HTTP errors
are already handled in the same function.
---
 crates/rmcp/src/transport/auth.rs | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/crates/rmcp/src/transport/auth.rs b/crates/rmcp/src/transport/auth.rs
index 34674df7..3aa3e913 100644
--- a/crates/rmcp/src/transport/auth.rs
+++ b/crates/rmcp/src/transport/auth.rs
@@ -1609,12 +1609,13 @@ impl AuthorizationManager {
             return Ok(None);
         }
 
-        let metadata = response
-            .json::<ResourceServerMetadata>()
-            .await
-            .map_err(|e| {
-                AuthError::MetadataError(format!("Failed to parse resource metadata: {}", e))
-            })?;
+        let metadata = match response.json::<ResourceServerMetadata>().await {
+            Ok(metadata) => metadata,
+            Err(e) => {
+                debug!("failed to parse resource metadata as JSON: {}", e);
+                return Ok(None);
+            }
+        };
         Ok(Some(metadata))
     }