Use scope_supported in GenericOAuthProvider

Author: halter73

samples/ProtectedMCPClient/Program.cs

@@ -29,7 +29,7 @@
     clientId: clientId,
     clientSecret: "", // No secret needed for this client
     redirectUri: new Uri("http://localhost:1179/callback"),
-    scopes: [$"api://{clientId}/weather.read"],
+    scopes: null, // Scopes listed in scopes_supported will be requested automatically
     logger: null,
     authorizationUrlHandler: HandleAuthorizationUrlAsync
 );

src/ModelContextProtocol.Core/Authentication/AuthorizationHelpers.cs

@@ -203,33 +203,4 @@ internal async Task<ProtectedResourceMetadata> ExtractProtectedResourceMetadata(
 
         return null;
     }
-
-    /// <summary>
-    /// Handles a 401 Unauthorized response and returns all available authorization servers.
-    /// This is the primary method for OAuth discovery - use this when you want full control
-    /// over authorization server selection.
-    /// </summary>
-    /// <param name="response">The 401 HTTP response.</param>
-    /// <param name="serverUrl">The server URL that returned the 401.</param>
-    /// <param name="cancellationToken">A token to cancel the operation.</param>
-    /// <returns>A list of available authorization server URIs.</returns>
-    /// <exception cref="ArgumentNullException">Thrown when response is null.</exception>
-    public async Task<IReadOnlyList<Uri>> GetAvailableAuthorizationServersAsync(
-        HttpResponseMessage response,
-        Uri serverUrl,
-        CancellationToken cancellationToken = default)
-    {
-        if (response == null) throw new ArgumentNullException(nameof(response));
-
-        try
-        {
-            var metadata = await ExtractProtectedResourceMetadata(response, serverUrl, cancellationToken);
-            return metadata.AuthorizationServers ?? [];
-        }
-        catch (Exception ex)
-        {
-            _logger.LogError(ex, "Failed to get available authorization servers");
-            return [];
-        }
-    }
 }

src/ModelContextProtocol.Core/Authentication/GenericOAuthProvider.cs

@@ -232,10 +232,8 @@ private async Task<McpUnauthorizedResponseResult> PerformOAuthAuthorizationAsync
         CancellationToken cancellationToken)
     {
         // Get available authorization servers from the 401 response
-        var availableAuthorizationServers = await _authorizationHelpers.GetAvailableAuthorizationServersAsync(
-            response,
-            _serverUrl,
-            cancellationToken);
+        var protectedResourceMetadata = await _authorizationHelpers.ExtractProtectedResourceMetadata(response, _serverUrl, cancellationToken);
+        var availableAuthorizationServers = protectedResourceMetadata.AuthorizationServers ?? [];
 
         if (!availableAuthorizationServers.Any())
         {
@@ -269,7 +267,7 @@ private async Task<McpUnauthorizedResponseResult> PerformOAuthAuthorizationAsync
         _authServerMetadata = authServerMetadata;
 
         // Perform the OAuth flow
-        var token = await InitiateAuthorizationCodeFlowAsync(authServerMetadata, cancellationToken);
+        var token = await InitiateAuthorizationCodeFlowAsync(protectedResourceMetadata, authServerMetadata, cancellationToken);
         if (token != null)
         {
             _token = token;
@@ -342,7 +340,7 @@ private async Task<McpUnauthorizedResponseResult> PerformOAuthAuthorizationAsync
                 if (response.IsSuccessStatusCode)
                 {
                     using var stream = await response.Content.ReadAsStreamAsync(cancellationToken);
-                    var metadata = await JsonSerializer.DeserializeAsync<AuthorizationServerMetadata>(stream, McpJsonUtilities.JsonContext.Default.AuthorizationServerMetadata, cancellationToken);
+                    var metadata = await JsonSerializer.DeserializeAsync(stream, McpJsonUtilities.JsonContext.Default.AuthorizationServerMetadata, cancellationToken);
 
                     if (metadata != null)
                     {
@@ -413,21 +411,25 @@ private async Task<McpUnauthorizedResponseResult> PerformOAuthAuthorizationAsync
     }
 
     private async Task<TokenContainer?> InitiateAuthorizationCodeFlowAsync(
+        ProtectedResourceMetadata protectedResourceMetadata,
         AuthorizationServerMetadata authServerMetadata,
         CancellationToken cancellationToken)
     {
         var codeVerifier = GenerateCodeVerifier();
         var codeChallenge = GenerateCodeChallenge(codeVerifier);
 
-        var authUrl = BuildAuthorizationUrl(authServerMetadata, codeChallenge);
+        var authUrl = BuildAuthorizationUrl(protectedResourceMetadata, authServerMetadata, codeChallenge);
         var authCode = await GetAuthorizationCodeAsync(authUrl, cancellationToken);
         if (string.IsNullOrEmpty(authCode))
             return null;
 
         return await ExchangeCodeForTokenAsync(authServerMetadata, authCode!, codeVerifier, cancellationToken);
     }
 
-    private Uri BuildAuthorizationUrl(AuthorizationServerMetadata authServerMetadata, string codeChallenge)
+    private Uri BuildAuthorizationUrl(
+        ProtectedResourceMetadata protectedResourceMetadata,
+        AuthorizationServerMetadata authServerMetadata,
+        string codeChallenge)
     {
         if (authServerMetadata.AuthorizationEndpoint.Scheme != Uri.UriSchemeHttp &&
             authServerMetadata.AuthorizationEndpoint.Scheme != Uri.UriSchemeHttps)
@@ -442,9 +444,10 @@ private Uri BuildAuthorizationUrl(AuthorizationServerMetadata authServerMetadata
         queryParams["code_challenge"] = codeChallenge;
         queryParams["code_challenge_method"] = "S256";
 
-        if (_scopes.Any())
+        var scopesSupported = protectedResourceMetadata.ScopesSupported ?? [];
+        if (_scopes.Count > 0 || scopesSupported.Count > 0)
         {
-            queryParams["scope"] = string.Join(" ", _scopes);
+            queryParams["scope"] = string.Join(" ", [.._scopes, ..scopesSupported]);
         }
 
         var uriBuilder = new UriBuilder(authServerMetadata.AuthorizationEndpoint)

src/ModelContextProtocol.Core/Authentication/ProtectedResourceMetadata.cs

@@ -4,20 +4,10 @@ namespace ModelContextProtocol.Authentication;
 
 /// <summary>
 /// Represents the resource metadata for OAuth authorization as defined in RFC 9396.
-/// Defined by <see href="https://datatracker.ietf.org/doc/rfc9728/">RFC 9728</see>. 
+/// Defined by <see href="https://datatracker.ietf.org/doc/rfc9728/">RFC 9728</see>.
 /// </summary>
 public class ProtectedResourceMetadata
 {
-    /// <summary>
-    /// Initializes a new instance of the <see cref="ProtectedResourceMetadata"/> class.
-    /// </summary>
-    public ProtectedResourceMetadata()
-    {
-        AuthorizationServers = [];
-        BearerMethodsSupported = [];
-        ScopesSupported = [];
-    }
-
     /// <summary>
     /// The resource URI.
     /// </summary>
@@ -26,7 +16,7 @@ public ProtectedResourceMetadata()
     /// </remarks>
     [JsonPropertyName("resource")]
     public required Uri Resource { get; init; }
-    
+
     /// <summary>
     /// The list of authorization server URIs.
     /// </summary>
@@ -35,8 +25,8 @@ public ProtectedResourceMetadata()
     /// for authorization servers that can be used with this protected resource.
     /// </remarks>
     [JsonPropertyName("authorization_servers")]
-    public List<Uri> AuthorizationServers { get; set; }
-    
+    public List<Uri> AuthorizationServers { get; set; } = [];
+
     /// <summary>
     /// The supported bearer token methods.
     /// </summary>
@@ -45,8 +35,8 @@ public ProtectedResourceMetadata()
     /// to the protected resource. Defined values are ["header", "body", "query"].
     /// </remarks>
     [JsonPropertyName("bearer_methods_supported")]
-    public List<string> BearerMethodsSupported { get; set; }
-    
+    public List<string> BearerMethodsSupported { get; set; } = [];
+
     /// <summary>
     /// The supported scopes.
     /// </summary>
@@ -55,8 +45,8 @@ public ProtectedResourceMetadata()
     /// requests to request access to this protected resource.
     /// </remarks>
     [JsonPropertyName("scopes_supported")]
-    public List<string> ScopesSupported { get; set; }
-    
+    public List<string> ScopesSupported { get; set; } = [];
+
     /// <summary>
     /// URL of the protected resource's JSON Web Key (JWK) Set document.
     /// </summary>

src/ModelContextProtocol.Core/Client/SseClientTransport.cs

@@ -58,8 +58,8 @@ public SseClientTransport(SseClientTransportOptions transportOptions, HttpClient
     /// <param name="transportOptions">Configuration options for the transport.</param>
     /// <param name="credentialProvider">The authorization provider to use for authentication.</param>
     /// <param name="loggerFactory">Logger factory for creating loggers used for diagnostic output during transport operations.</param>
-    /// <param name="baseMessageHandler">Optional. The base message handler to use under the authorization handler. 
-    /// If null, a new <see cref="HttpClientHandler"/> will be used. This allows for custom HTTP client pipelines (e.g., from HttpClientFactory) 
+    /// <param name="baseMessageHandler">Optional. The base message handler to use under the authorization handler.
+    /// If null, a new <see cref="HttpClientHandler"/> will be used. This allows for custom HTTP client pipelines (e.g., from HttpClientFactory)
     /// to be used in conjunction with the token-based authentication provided by <paramref name="credentialProvider"/>.</param>
     public SseClientTransport(SseClientTransportOptions transportOptions, IMcpCredentialProvider credentialProvider, ILoggerFactory? loggerFactory = null, HttpMessageHandler? baseMessageHandler = null)
     {
@@ -74,7 +74,7 @@ public SseClientTransport(SseClientTransportOptions transportOptions, IMcpCreden
         {
             InnerHandler = baseMessageHandler ?? new HttpClientHandler()
         };
-        
+
         _httpClient = new HttpClient(authHandler);
         _ownsHttpClient = true;
     }