Collapse this proxy config into the single auth object the transport
accepts (StreamableHttpOptions.auth / mountMcp), so an OAuthProxy
preset flows through the same one entry point as jwtResourceServer and
the JWKS presets — no re-typing of resource/scopes. The validator is the
configured tokenVerifier (fails closed when none is set); the proxy's own
baseUrl is advertised as the sole authorization server (it fronts the
upstream IdP), and resource/scopesSupported are mirrored.
Collapse this proxy config into the single auth object the transport accepts (StreamableHttpOptions.auth / mountMcp), so an OAuthProxy preset flows through the same one entry point as jwtResourceServer and the JWKS presets — no re-typing of resource/scopes. The validator is the configured tokenVerifier (fails closed when none is set); the proxy's own baseUrl is advertised as the sole authorization server (it fronts the upstream IdP), and resource/scopesSupported are mirrored.