Apply remaining changes

Author: Copilot

README.md

@@ -246,6 +246,7 @@ the hostname for GitHub Enterprise Server or GitHub Enterprise Cloud with data r
 
 - For GitHub Enterprise Server, prefix the hostname with the `https://` URI scheme, as it otherwise defaults to `http://`, which GitHub Enterprise Server does not support.
 - For GitHub Enterprise Cloud with data residency, use `https://YOURSUBDOMAIN.ghe.com` as the hostname.
+- If your OAuth authorization server is different from `<host>/login/oauth`, set `--authorization-server` or `GITHUB_AUTHORIZATION_SERVER`.
 
 ``` json
 "github": {

cmd/github-mcp-server/main.go

@@ -139,6 +139,7 @@ var (
 				Host:                 viper.GetString("host"),
 				Port:                 viper.GetInt("port"),
 				BaseURL:              viper.GetString("base-url"),
+				AuthorizationServer:  viper.GetString("authorization-server"),
 				ResourcePath:         viper.GetString("base-path"),
 				ExportTranslations:   viper.GetBool("export-translations"),
 				EnableCommandLogging: viper.GetBool("enable-command-logging"),
@@ -184,6 +185,7 @@ func init() {
 	// HTTP-specific flags
 	httpCmd.Flags().Int("port", 8082, "HTTP server port")
 	httpCmd.Flags().String("base-url", "", "Base URL where this server is publicly accessible (for OAuth resource metadata)")
+	httpCmd.Flags().String("authorization-server", "", "OAuth authorization server URL override (for OAuth resource metadata)")
 	httpCmd.Flags().String("base-path", "", "Externally visible base path for the HTTP server (for OAuth resource metadata)")
 	httpCmd.Flags().Bool("scope-challenge", false, "Enable OAuth scope challenge responses")
 
@@ -203,6 +205,7 @@ func init() {
 	_ = viper.BindPFlag("repo-access-cache-ttl", rootCmd.PersistentFlags().Lookup("repo-access-cache-ttl"))
 	_ = viper.BindPFlag("port", httpCmd.Flags().Lookup("port"))
 	_ = viper.BindPFlag("base-url", httpCmd.Flags().Lookup("base-url"))
+	_ = viper.BindPFlag("authorization-server", httpCmd.Flags().Lookup("authorization-server"))
 	_ = viper.BindPFlag("base-path", httpCmd.Flags().Lookup("base-path"))
 	_ = viper.BindPFlag("scope-challenge", httpCmd.Flags().Lookup("scope-challenge"))
 	// Add subcommands

docs/streamable-http.md

@@ -59,6 +59,16 @@ The OAuth protected resource metadata's `resource` attribute will be populated w
 
 This allows OAuth clients to discover authentication requirements and endpoint information automatically.
 
+### With Custom OAuth Authorization Server
+
+If your GHES deployment requires a non-default OAuth authorization server URL, override it explicitly:
+
+```bash
+github-mcp-server http --gh-host https://ghe.example.com --authorization-server https://auth.ghe.example.com/login/oauth
+```
+
+You can also set this via `GITHUB_AUTHORIZATION_SERVER`.
+
 ## Client Configuration
 
 ### Using OAuth Authentication

pkg/http/server.go

@@ -39,6 +39,10 @@ type ServerConfig struct {
 	// If not set, the server will derive the URL from incoming request headers.
 	BaseURL string
 
+	// AuthorizationServer is the OAuth authorization server URL advertised in OAuth
+	// protected resource metadata. If empty, it is derived from the GitHub host.
+	AuthorizationServer string
+
 	// ResourcePath is the externally visible base path for this server (e.g., "/mcp").
 	// This is used to restore the original path when a proxy strips a base path before forwarding.
 	ResourcePath string
@@ -150,8 +154,9 @@ func RunHTTPServer(cfg ServerConfig) error {
 
 	// Register OAuth protected resource metadata endpoints
 	oauthCfg := &oauth.Config{
-		BaseURL:      cfg.BaseURL,
-		ResourcePath: cfg.ResourcePath,
+		BaseURL:             cfg.BaseURL,
+		AuthorizationServer: cfg.AuthorizationServer,
+		ResourcePath:        cfg.ResourcePath,
 	}
 
 	serverOptions := []HandlerOption{}