Simplify HandleUnauthorizedResponseAsync signature by using exceptions

- Use Streamable HTTP transport in samples

Author: halter73

samples/ProtectedMCPClient/Program.cs

@@ -9,7 +9,7 @@
 Console.WriteLine("Protected MCP Weather Server");
 Console.WriteLine();
 
-var serverUrl = "http://localhost:7071/sse";
+var serverUrl = "http://localhost:7071/";
 var clientId = Environment.GetEnvironmentVariable("CLIENT_ID") ?? throw new Exception("The CLIENT_ID environment variable is not set.");
 
 // We can customize a shared HttpClient with a custom handler if desired
@@ -24,14 +24,9 @@
 var tokenProvider = new GenericOAuthProvider(
     new Uri(serverUrl),
     httpClient,
-    null, // AuthorizationHelpers will be created automatically
     clientId: clientId,
-    clientSecret: "", // No secret needed for this client
     redirectUri: new Uri("http://localhost:1179/callback"),
-    scopes: null, // Scopes listed in scopes_supported will be requested automatically
-    logger: null,
-    authorizationUrlHandler: HandleAuthorizationUrlAsync
-);
+    authorizationRedirectDelegate: HandleAuthorizationUrlAsync);
 
 Console.WriteLine();
 Console.WriteLine($"Connecting to weather server at {serverUrl}...");

samples/ProtectedMCPServer/Program.cs

@@ -62,7 +62,7 @@
     {
         var metadata = new ProtectedResourceMetadata
         {
-            Resource = new Uri("http://localhost:7071/sse"),
+            Resource = new Uri("http://localhost:7071/"),
             BearerMethodsSupported = { "header" },
             ResourceDocumentation = new Uri("https://docs.example.com/api/weather"),
             AuthorizationServers = { new Uri($"{instance}{tenantId}/v2.0") }

src/ModelContextProtocol.Core/Authentication/AuthenticatingMcpHttpClient.cs

@@ -9,8 +9,6 @@ namespace ModelContextProtocol.Authentication;
 /// </summary>
 internal sealed class AuthenticatingMcpHttpClient(HttpClient httpClient, IMcpCredentialProvider credentialProvider) : McpHttpClient(httpClient)
 {
-    private static readonly char[] SchemeSplitDelimiters = [' ', ','];
-
     // Select first supported scheme as the default
     private string _currentScheme = credentialProvider.SupportedSchemes.FirstOrDefault() ??
         throw new ArgumentException("Authorization provider must support at least one authentication scheme.", nameof(credentialProvider));
@@ -47,88 +45,41 @@ private async Task<HttpResponseMessage> HandleUnauthorizedResponseAsync(
         // Gather the schemes the server wants us to use from WWW-Authenticate headers
         var serverSchemes = ExtractServerSupportedSchemes(response);
 
-        // Find the intersection between what the server supports and what our provider supports
-        string? bestSchemeMatch = null;
-
-        // First try to find a direct match with the current scheme if it's still valid
-        string schemeUsed = originalRequest.Headers.Authorization?.Scheme ?? _currentScheme ?? string.Empty;
-        if (!string.IsNullOrEmpty(schemeUsed) &&
-            serverSchemes.Contains(schemeUsed) &&
-            credentialProvider.SupportedSchemes.Contains(schemeUsed))
-        {
-            bestSchemeMatch = schemeUsed;
-        }
-        else
+        if (!serverSchemes.Contains(_currentScheme))
         {
             // Find the first server scheme that's in our supported set
-            bestSchemeMatch = serverSchemes.Intersect(credentialProvider.SupportedSchemes, StringComparer.OrdinalIgnoreCase).FirstOrDefault();
-
-            // If no match was found, either throw an exception or use default
-            if (bestSchemeMatch is null)
-            {
-                if (serverSchemes.Count > 0)
-                {
-                    throw new IOException(
-                        $"The server does not support any of the provided authentication schemes." +
-                        $"Server supports: [{string.Join(", ", serverSchemes)}], " +
-                        $"Provider supports: [{string.Join(", ", credentialProvider.SupportedSchemes)}].");
-                }
-
-                // If the server didn't specify any schemes, use the provider's default
-                bestSchemeMatch = credentialProvider.SupportedSchemes.FirstOrDefault();
-            }
-        }
+            var bestSchemeMatch = serverSchemes.Intersect(credentialProvider.SupportedSchemes, StringComparer.OrdinalIgnoreCase).FirstOrDefault();
 
-        if (bestSchemeMatch != null)
-        {
-            try
+            if (bestSchemeMatch is not null)
             {
-                // Try to handle the 401 response with the selected scheme
-                var (handled, recommendedScheme) = await credentialProvider.HandleUnauthorizedResponseAsync(
-                    response,
-                    bestSchemeMatch,
-                    cancellationToken).ConfigureAwait(false);
-
-                if (!handled)
-                {
-                    throw new McpException(
-                        $"Failed to handle unauthorized response with scheme '{bestSchemeMatch}'. " +
-                        "The authentication provider was unable to process the authentication challenge.");
-                }
-
-                _currentScheme = recommendedScheme ?? bestSchemeMatch;
+                _currentScheme = bestSchemeMatch;
             }
-            catch (Exception ex)
+            else if (serverSchemes.Count > 0)
             {
+                // If no match was found, either throw an exception or use default
                 throw new McpException(
-                    $"Failed to handle unauthorized response with scheme '{bestSchemeMatch}'. " +
-                    "The authentication provider encountered an error while processing the authentication challenge.",
-                    ex);
+                    $"The server does not support any of the provided authentication schemes." +
+                    $"Server supports: [{string.Join(", ", serverSchemes)}], " +
+                    $"Provider supports: [{string.Join(", ", credentialProvider.SupportedSchemes)}].");
             }
+        }
 
-            var retryRequest = new HttpRequestMessage(originalRequest.Method, originalRequest.RequestUri)
-            {
-                Version = originalRequest.Version,
-#if NET
-                VersionPolicy = originalRequest.VersionPolicy,
-#endif
-            };
-
-            // Copy headers except Authorization which we'll set separately
-            foreach (var header in originalRequest.Headers)
-            {
-                if (!header.Key.Equals("Authorization", StringComparison.OrdinalIgnoreCase))
-                {
-                    retryRequest.Headers.TryAddWithoutValidation(header.Key, header.Value);
-                }
-            }
+        // Try to handle the 401 response with the selected scheme
+        await credentialProvider.HandleUnauthorizedResponseAsync(_currentScheme, response, cancellationToken).ConfigureAwait(false);
 
-            await AddAuthorizationHeaderAsync(retryRequest, _currentScheme, cancellationToken).ConfigureAwait(false);
+        using var retryRequest = new HttpRequestMessage(originalRequest.Method, originalRequest.RequestUri);
 
-            return await base.SendAsync(retryRequest, originalJsonRpcMessage, cancellationToken).ConfigureAwait(false);
+        // Copy headers except Authorization which we'll set separately
+        foreach (var header in originalRequest.Headers)
+        {
+            if (!header.Key.Equals("Authorization", StringComparison.OrdinalIgnoreCase))
+            {
+                retryRequest.Headers.TryAddWithoutValidation(header.Key, header.Value);
+            }
         }
 
-        return response; // Return the original response if we couldn't handle it
+        await AddAuthorizationHeaderAsync(retryRequest, _currentScheme, cancellationToken).ConfigureAwait(false);
+        return await base.SendAsync(retryRequest, originalJsonRpcMessage, cancellationToken).ConfigureAwait(false);
     }
 
     /// <summary>
@@ -138,15 +89,9 @@ private static HashSet<string> ExtractServerSupportedSchemes(HttpResponseMessage
     {
         var serverSchemes = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
 
-        if (response.Headers.Contains("WWW-Authenticate"))
+        foreach (var header in response.Headers.WwwAuthenticate)
         {
-            foreach (var authHeader in response.Headers.GetValues("WWW-Authenticate"))
-            {
-                // Extract the scheme from the WWW-Authenticate header
-                // Format is typically: "Scheme param1=value1, param2=value2"
-                string scheme = authHeader.Split(SchemeSplitDelimiters, StringSplitOptions.RemoveEmptyEntries)[0];
-                serverSchemes.Add(scheme);
-            }
+            serverSchemes.Add(header.Scheme);
         }
 
         return serverSchemes;
@@ -157,13 +102,17 @@ private static HashSet<string> ExtractServerSupportedSchemes(HttpResponseMessage
     /// </summary>
     private async Task AddAuthorizationHeaderAsync(HttpRequestMessage request, string scheme, CancellationToken cancellationToken)
     {
-        if (request.RequestUri != null)
+        if (request.RequestUri is null)
         {
-            var token = await credentialProvider.GetCredentialAsync(scheme, request.RequestUri, cancellationToken).ConfigureAwait(false);
-            if (!string.IsNullOrEmpty(token))
-            {
-                request.Headers.Authorization = new AuthenticationHeaderValue(scheme, token);
-            }
+            return;
+        }
+
+        var token = await credentialProvider.GetCredentialAsync(scheme, request.RequestUri, cancellationToken).ConfigureAwait(false);
+        if (string.IsNullOrEmpty(token))
+        {
+            return;
         }
+
+        request.Headers.Authorization = new AuthenticationHeaderValue(scheme, token);
     }
 }