Practical OAuth implementation for production #1052
Description
For building a production-ready remote MCP server with OAuth authentication, what is a practical way to implement the authentication part?
So far all the examples I've checked have comments like "not for production use" and often contain code implementing low-level details of some security protocols. For example, the ProtectedMcpServer sample seem to depend on the TestOAuthServer, which basically implements an OAuth server from scratch, including things like token encryption, encoding etc. This is very useful for educational purposes, but probably not very practical for building a real application.
It's also possible to point the AuthorizationServers metadata to an existing auth provider (Microsoft/Google/etc.), but seems like even that doesn't work well with some providers due to issues like #648, and it's not clear whether those issues might actually be by design due to incorrect usage.
So, as of today, how should someone building a real world MCP server go about authentication? Is their best bet to build an OAuth server from scratch just like the samples show? Or is there a better re-usable solution, ideally an existing authentication service that is well supported and works smoothly with MCP scenarios?