Add ClientOAuthOptions

Author: halter73

samples/ProtectedMCPClient/Program.cs

@@ -1,95 +1,68 @@
 using Microsoft.Extensions.Logging;
-using ModelContextProtocol.Authentication;
 using ModelContextProtocol.Client;
 using ModelContextProtocol.Protocol;
 using System.Diagnostics;
 using System.Net;
 using System.Text;
 using System.Web;
 
+var serverUrl = "http://localhost:7071/";
+
 Console.WriteLine("Protected MCP Client");
+Console.WriteLine($"Connecting to weather server at {serverUrl}...");
 Console.WriteLine();
 
-var serverUrl = "http://localhost:7071/";
-var clientId = Environment.GetEnvironmentVariable("CLIENT_ID") ?? throw new Exception("The CLIENT_ID environment variable is not set.");
-
 // We can customize a shared HttpClient with a custom handler if desired
 var sharedHandler = new SocketsHttpHandler
 {
     PooledConnectionLifetime = TimeSpan.FromMinutes(2),
     PooledConnectionIdleTimeout = TimeSpan.FromMinutes(1)
 };
+var httpClient = new HttpClient(sharedHandler);
 
 var consoleLoggerFactory = LoggerFactory.Create(builder =>
 {
     builder.AddConsole();
 });
 
-var httpClient = new HttpClient(sharedHandler);
-// Create the token provider with our custom HttpClient and authorization URL handler
-var tokenProvider = new GenericOAuthProvider(
-    new Uri(serverUrl),
-    httpClient,
-    //clientId: clientId,
-    clientId: "demo-client",
-    clientSecret: "demo-secret",
-    redirectUri: new Uri("http://localhost:1179/callback"),
-    authorizationRedirectDelegate: HandleAuthorizationUrlAsync,
-    loggerFactory: consoleLoggerFactory);
-
-Console.WriteLine();
-Console.WriteLine($"Connecting to weather server at {serverUrl}...");
-
-try
+var transport = new SseClientTransport(new()
 {
-    var transport = new SseClientTransport(new()
-    {
-        Endpoint = new Uri(serverUrl),
-        Name = "Secure Weather Client",
-        CredentialProvider = tokenProvider,
-    }, httpClient, consoleLoggerFactory);
-
-    var client = await McpClientFactory.CreateAsync(transport, loggerFactory: consoleLoggerFactory);
-
-    var tools = await client.ListToolsAsync();
-    if (tools.Count == 0)
+    Endpoint = new Uri(serverUrl),
+    Name = "Secure Weather Client",
+    OAuth = new()
     {
-        Console.WriteLine("No tools available on the server.");
-        return;
+        ClientId = "demo-client",
+        ClientSecret = "demo-secret",
+        RedirectUri = new Uri("http://localhost:1179/callback"),
+        AuthorizationRedirectDelegate = HandleAuthorizationUrlAsync,
     }
+}, httpClient, consoleLoggerFactory);
 
-    Console.WriteLine($"Found {tools.Count} tools on the server.");
-    Console.WriteLine();
+var client = await McpClientFactory.CreateAsync(transport, loggerFactory: consoleLoggerFactory);
 
-    if (tools.Any(t => t.Name == "GetAlerts"))
-    {
-        Console.WriteLine("Calling GetAlerts tool...");
+var tools = await client.ListToolsAsync();
+if (tools.Count == 0)
+{
+    Console.WriteLine("No tools available on the server.");
+    return;
+}
 
-        var result = await client.CallToolAsync(
-            "GetAlerts",
-            new Dictionary<string, object?> { { "state", "WA" } }
-        );
+Console.WriteLine($"Found {tools.Count} tools on the server.");
+Console.WriteLine();
 
-        Console.WriteLine("Result: " + ((TextContentBlock)result.Content[0]).Text);
-        Console.WriteLine();
-    }
-}
-catch (Exception ex)
+if (tools.Any(t => t.Name == "GetAlerts"))
 {
-    Console.WriteLine($"Error: {ex.Message}");
-    if (ex.InnerException != null)
-    {
-        Console.WriteLine($"Inner error: {ex.InnerException.Message}");
-    }
+    Console.WriteLine("Calling GetAlerts tool...");
 
-#if DEBUG
-    Console.WriteLine($"Stack trace: {ex.StackTrace}");
-#endif
+    var result = await client.CallToolAsync(
+        "GetAlerts",
+        new Dictionary<string, object?> { { "state", "WA" } }
+    );
+
+    Console.WriteLine("Result: " + ((TextContentBlock)result.Content[0]).Text);
+    Console.WriteLine();
 }
-Console.WriteLine("Press any key to exit...");
-Console.ReadKey();
 
-/// <summary>
 /// Handles the OAuth authorization URL by starting a local HTTP server and opening a browser.
 /// This implementation demonstrates how SDK consumers can provide their own authorization flow.
 /// </summary>

src/ModelContextProtocol.Core/Authentication/AuthenticatingMcpHttpClient.cs

@@ -7,7 +7,7 @@ namespace ModelContextProtocol.Authentication;
 /// <summary>
 /// A delegating handler that adds authentication tokens to requests and handles 401 responses.
 /// </summary>
-internal sealed class AuthenticatingMcpHttpClient(HttpClient httpClient, IMcpCredentialProvider credentialProvider) : McpHttpClient(httpClient)
+internal sealed class AuthenticatingMcpHttpClient(HttpClient httpClient, ClientOAuthProvider credentialProvider) : McpHttpClient(httpClient)
 {
     // Select first supported scheme as the default
     private string _currentScheme = credentialProvider.SupportedSchemes.FirstOrDefault() ??

src/ModelContextProtocol.Core/Authentication/ClientOAuthOptions.cs

@@ -0,0 +1,69 @@
+namespace ModelContextProtocol.Authentication;
+
+/// <summary>
+/// Provides configuration options for the <see cref="ClientOAuthProvider"/>.
+/// </summary>
+public sealed class ClientOAuthOptions
+{
+    /// <summary>
+    /// Gets or sets the OAuth client ID.
+    /// </summary>
+    public required string ClientId { get; set; }
+
+    /// <summary>
+    /// Gets or sets the OAuth redirect URI.
+    /// </summary>
+    public required Uri RedirectUri { get; set; }
+
+    /// <summary>
+    /// Gets or sets the OAuth client secret.
+    /// </summary>
+    /// <remarks>
+    /// This is optional for public clients or when using PKCE without client authentication.
+    /// </remarks>
+    public string? ClientSecret { get; set; }
+
+    /// <summary>
+    /// Gets or sets the OAuth scopes to request.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// When specified, these scopes will be used instead of the scopes advertised by the protected resource.
+    /// If not specified, the provider will use the scopes from the protected resource metadata.
+    /// </para>
+    /// <para>
+    /// Common OAuth scopes include "openid", "profile", "email", etc.
+    /// </para>
+    /// </remarks>
+    public IEnumerable<string>? Scopes { get; set; }
+
+    /// <summary>
+    /// Gets or sets the authorization redirect delegate for handling the OAuth authorization flow.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// This delegate is responsible for handling the OAuth authorization URL and obtaining the authorization code.
+    /// If not specified, a default implementation will be used that prompts the user to enter the code manually.
+    /// </para>
+    /// <para>
+    /// Custom implementations might open a browser, start an HTTP listener, or use other mechanisms to capture
+    /// the authorization code from the OAuth redirect.
+    /// </para>
+    /// </remarks>
+    public AuthorizationRedirectDelegate? AuthorizationRedirectDelegate { get; set; }
+
+    /// <summary>
+    /// Gets or sets the authorization server selector function.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// This function is used to select which authorization server to use when multiple servers are available.
+    /// If not specified, the first available server will be selected.
+    /// </para>
+    /// <para>
+    /// The function receives a list of available authorization server URIs and should return the selected server,
+    /// or null if no suitable server is found.
+    /// </para>
+    /// </remarks>
+    public Func<IReadOnlyList<Uri>, Uri?>? AuthServerSelector { get; set; }
+}

…e/Authentication/GenericOAuthProvider.cs …re/Authentication/ClientOAuthProvider.cssrc/ModelContextProtocol.Core/Authentication/GenericOAuthProvider.cs renamed to src/ModelContextProtocol.Core/Authentication/ClientOAuthProvider.cs src/ModelContextProtocol.Core/Authentication/GenericOAuthProvider.cs renamed to src/ModelContextProtocol.Core/Authentication/ClientOAuthProvider.cs

@@ -14,7 +14,7 @@ namespace ModelContextProtocol.Authentication;
 /// protection or caching - it acquires a token and server metadata and holds it in memory.
 /// This is suitable for demonstration and development purposes.
 /// </summary>
-public sealed class GenericOAuthProvider : IMcpCredentialProvider
+internal sealed class ClientOAuthProvider
 {
     /// <summary>
     /// The Bearer authentication scheme.
@@ -23,55 +23,51 @@ public sealed class GenericOAuthProvider : IMcpCredentialProvider
 
     private readonly Uri _serverUrl;
     private readonly Uri _redirectUri;
-    private readonly IList<string>? _scopes;
+    private readonly string[]? _scopes;
     private readonly string _clientId;
     private readonly string? _clientSecret;
-    private readonly HttpClient _httpClient;
-    private readonly ILogger _logger;
     private readonly Func<IReadOnlyList<Uri>, Uri?> _authServerSelector;
     private readonly AuthorizationRedirectDelegate _authorizationRedirectDelegate;
 
+    private readonly HttpClient _httpClient;
+    private readonly ILogger _logger;
+
     private TokenContainer? _token;
     private AuthorizationServerMetadata? _authServerMetadata;
 
     /// <summary>
-    /// Initializes a new instance of the <see cref="GenericOAuthProvider"/> class with explicit authorization server selection.
+    /// Initializes a new instance of the <see cref="ClientOAuthProvider"/> class using the specified options.
     /// </summary>
     /// <param name="serverUrl">The MCP server URL.</param>
+    /// <param name="options">The OAuth provider configuration options.</param>
     /// <param name="httpClient">The HTTP client to use for OAuth requests. If null, a default HttpClient will be used.</param>
-    /// <param name="clientId">OAuth client ID.</param>
-    /// <param name="clientSecret">OAuth client secret.</param>
-    /// <param name="redirectUri">OAuth redirect URI.</param>
-    /// <param name="authorizationRedirectDelegate">Custom handler for processing the OAuth authorization URL. If null, uses the default HTTP listener approach.</param>
-    /// <param name="scopes">Additional OAuth scopes to request instead of those specified in the scopes_supported specified in the .well-known/oauth-protected-resource response.</param>
     /// <param name="loggerFactory">A logger factory to handle diagnostic messages.</param>
-    /// <param name="authServerSelector">Function to select which authorization server to use from available servers. If null, uses default selection strategy.</param>
-    /// <exception cref="ArgumentNullException">Thrown when serverUrl is null.</exception>
-    public GenericOAuthProvider(
+    /// <exception cref="ArgumentNullException">Thrown when serverUrl or options are null.</exception>
+    public ClientOAuthProvider(
         Uri serverUrl,
-        HttpClient? httpClient,
-        string clientId,
-        Uri redirectUri,
-        AuthorizationRedirectDelegate? authorizationRedirectDelegate = null,
-        string? clientSecret = null,
-        IList<string>? scopes = null,
-        Func<IReadOnlyList<Uri>, Uri?>? authServerSelector = null,
+        ClientOAuthOptions options,
+        HttpClient? httpClient = null,
         ILoggerFactory? loggerFactory = null)
     {
         _serverUrl = serverUrl ?? throw new ArgumentNullException(nameof(serverUrl));
         _httpClient = httpClient ?? new HttpClient();
-        _logger = (ILogger?)loggerFactory?.CreateLogger<GenericOAuthProvider>() ?? NullLogger.Instance;
+        _logger = (ILogger?)loggerFactory?.CreateLogger<ClientOAuthProvider>() ?? NullLogger.Instance;
+
+        if (options is null)
+        {
+            throw new ArgumentNullException(nameof(options));
+        }
 
-        _redirectUri = redirectUri;
-        _scopes = scopes;
-        _clientId = clientId;
-        _clientSecret = clientSecret;
+        _clientId = options.ClientId;
+        _redirectUri = options.RedirectUri;
+        _clientSecret = options.ClientSecret;
+        _scopes = options.Scopes?.ToArray();
 
         // Set up authorization server selection strategy
-        _authServerSelector = authServerSelector ?? DefaultAuthServerSelector;
+        _authServerSelector = options.AuthServerSelector ?? DefaultAuthServerSelector;
 
         // Set up authorization URL handler (use default if not provided)
-        _authorizationRedirectDelegate = authorizationRedirectDelegate ?? DefaultAuthorizationUrlHandler;
+        _authorizationRedirectDelegate = options.AuthorizationRedirectDelegate ?? DefaultAuthorizationUrlHandler;
     }
 
     /// <summary>
@@ -301,9 +297,9 @@ private Uri BuildAuthorizationUrl(
         queryParams["code_challenge_method"] = "S256";
 
         var scopesSupported = protectedResourceMetadata.ScopesSupported;
-        if (_scopes?.Count > 0 || scopesSupported.Count > 0)
+        if (_scopes is not null || scopesSupported.Count > 0)
         {
-            queryParams["scope"] = string.Join(" ", _scopes ?? scopesSupported);
+            queryParams["scope"] = string.Join(" ", _scopes ?? scopesSupported.ToArray());
         }
 
         var uriBuilder = new UriBuilder(authServerMetadata.AuthorizationEndpoint)

src/ModelContextProtocol.Core/Authentication/IMcpCredentialProvider.cs

@@ -49,9 +49,10 @@ public SseClientTransport(SseClientTransportOptions transportOptions, HttpClient
         _loggerFactory = loggerFactory;
         Name = transportOptions.Name ?? transportOptions.Endpoint.ToString();
 
-        if (transportOptions.CredentialProvider is { } credentialProvider)
+        if (transportOptions.OAuth is { } clientOAuthOptions)
         {
-            _mcpHttpClient = new AuthenticatingMcpHttpClient(httpClient, credentialProvider);
+            var oAuthProvider = new ClientOAuthProvider(_options.Endpoint, clientOAuthOptions, httpClient, loggerFactory);
+            _mcpHttpClient = new AuthenticatingMcpHttpClient(httpClient, oAuthProvider);
         }
         else
         {

src/ModelContextProtocol.Core/Client/SseClientTransport.cs

@@ -76,5 +76,5 @@ public required Uri Endpoint
     /// <summary>
     /// Gets sor sets the authorization provider to use for authentication.
     /// </summary>
-    public IMcpCredentialProvider? CredentialProvider { get; set; }
+    public ClientOAuthOptions? OAuth { get; set; }
 }