fix: normalize OAuth redirect URI URL subtypes

[fengjikui]

Fixes #2687

Summary

OAuth client metadata stores redirect_uris as AnyUrl, but Pydantic v2 preserves stricter URL subtype instances that callers pass in, such as AnyHttpUrl. Those subtype instances serialize to the same URL string as AnyUrl, but object equality is type-strict, so validate_redirect_uri(AnyUrl(...)) rejects a registered AnyHttpUrl(...) value.

This normalizes redirect_uris at the model boundary by stringifying Pydantic URL objects before validation. Pydantic then rebuilds them as the declared AnyUrl type. Raw strings and existing validation errors still follow the normal field validation path.

Evidence

Before the fix, the minimal repro fails:

stored_types ['AnyHttpUrl']
string_equal True
object_equal False
membership False
failed Redirect URI 'https://example.com/cb' not registered for client

After the fix, the same repro succeeds and JSON output is unchanged:

stored_types ['AnyUrl']
membership True
validated https://example.com/cb
json ['https://example.com/cb']

Validation

uv run --frozen pytest tests/shared/test_auth.py
uv run --frozen ruff format --check src/mcp/shared/auth.py tests/shared/test_auth.py
uv run --frozen ruff check src/mcp/shared/auth.py tests/shared/test_auth.py
uv run --frozen coverage erase && uv run --frozen coverage run -m pytest tests/shared/test_auth.py && uv run --frozen coverage combine && uv run --frozen coverage report --include='src/mcp/shared/auth.py' --fail-under=0 && UV_FROZEN=1 uv run --frozen strict-no-cover

AI Assistance

AI assistance was used to prepare this patch and validation notes.