Cleaner implementation

Author: localden

samples/ProtectedMCPServer/Program.cs

@@ -14,8 +14,8 @@
 
 builder.Services.AddAuthentication(options =>
 {
-    options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
     options.DefaultChallengeScheme = McpAuthenticationDefaults.AuthenticationScheme;
+    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
 })
 .AddJwtBearer(options =>
 {
@@ -51,10 +51,6 @@
         OnChallenge = context =>
         {
             Console.WriteLine($"Challenging client to authenticate with Entra ID");
-            
-            // Skip the default Bearer header - MCP handler will provide the complete one
-            context.HandleResponse();
-            
             return Task.CompletedTask;
         }
     };
@@ -76,41 +72,9 @@
 
         return metadata;
     };
-    
-    // Specify authentication schemes that this server supports
-    options.SupportedAuthenticationSchemes.Add("Bearer");
-    options.SupportedAuthenticationSchemes.Add("Basic");
-    
-    // For a server that doesn't want to support Bearer, you would simply not add it:
-    // options.SupportedAuthenticationSchemes.Add("Basic");
-    // options.SupportedAuthenticationSchemes.Add("Digest");
-    
-    // You can also use the dynamic provider for more flexible scheme selection:
-    /*
-    options.SupportedAuthenticationSchemesProvider = context =>
-    {
-        // You can use context information to determine which schemes to offer
-        var schemes = new List<string>();
-        
-        // Add Bearer for most clients
-        schemes.Add("Bearer");
-        
-        // Example of conditional scheme based on client type or other factors
-        if (context.Request.Headers.UserAgent.ToString().Contains("SpecialClient"))
-        {
-            schemes.Add("Basic");
-        }
-        
-        return schemes;
-    };
-    */
 });
 
-builder.Services.AddAuthorization(options =>
-{
-    options.AddMcpPolicy(configurePolicy: builder => 
-        builder.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme));
-});
+builder.Services.AddAuthorization();
 
 builder.Services.AddHttpContextAccessor();
 builder.Services.AddMcpServer()
@@ -129,7 +93,8 @@
 app.UseAuthentication();
 app.UseAuthorization();
 
-app.MapMcp().RequireAuthorization(McpAuthenticationDefaults.AuthenticationScheme);
+// Use the default MCP policy name that we've configured
+app.MapMcp().RequireAuthorization();
 
 Console.WriteLine($"Starting MCP server with authorization at {serverUrl}");
 Console.WriteLine($"PRM Document URL: {serverUrl}.well-known/oauth-protected-resource");

src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationHandler.cs

@@ -113,11 +113,19 @@ private async Task HandleResourceMetadataRequestAsync()
     }
 
     /// <inheritdoc />
-    protected override Task<AuthenticateResult> HandleAuthenticateAsync()
+    protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
     {
-        // This handler doesn't perform authentication - it only adds resource metadata to challenges
-        // The actual authentication will be handled by the bearer token handler or other authentication handlers
-        return Task.FromResult(AuthenticateResult.NoResult());
+        // If ForwardAuthenticate is set, forward the authentication to the specified scheme
+        if (!string.IsNullOrEmpty(Options.ForwardAuthenticate) && 
+            Options.ForwardAuthenticate != Scheme.Name)
+        {
+            // Simply forward the authentication request to the specified scheme and return its result
+            // This ensures we don't interfere with the authentication process
+            return await Context.AuthenticateAsync(Options.ForwardAuthenticate);
+        }
+
+        // If no forwarding is configured, this handler doesn't perform authentication
+        return AuthenticateResult.NoResult();
     }
 
     /// <inheritdoc />
@@ -135,24 +143,9 @@ protected override Task HandleChallengeAsync(AuthenticationProperties properties
         // Store the resource_metadata in properties in case other handlers need it
         properties.Items["resource_metadata"] = rawPrmDocumentUri;
 
-        // Get supported schemes from the options
-        var options = _optionsMonitor.CurrentValue;
-        var supportedSchemes = options.GetSupportedAuthenticationSchemes(Request.HttpContext).ToList();
-
-        // If no schemes are explicitly defined, don't add any WWW-Authenticate headers
-        if (supportedSchemes.Count == 0)
-        {
-            return base.HandleChallengeAsync(properties);
-        }
-        
-        // Add headers for each supported authentication scheme
-        foreach (var scheme in supportedSchemes)
-        {
-            // For all schemes, include the realm and resource metadata
-            // This allows discovery of OAuth capabilities regardless of the authentication scheme
-            string headerValue = $"{scheme} realm=\"{Scheme.Name}\", resource_metadata=\"{rawPrmDocumentUri}\"";
-            Response.Headers.Append("WWW-Authenticate", headerValue);
-        }
+        // Add the WWW-Authenticate header with Bearer scheme and resource metadata
+        string headerValue = $"Bearer realm=\"{Scheme.Name}\", resource_metadata=\"{rawPrmDocumentUri}\"";
+        Response.Headers.Append("WWW-Authenticate", headerValue);
 
         return base.HandleChallengeAsync(properties);
     }

src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationOptions.cs

@@ -20,12 +20,19 @@ public class McpAuthenticationOptions : AuthenticationSchemeOptions
         set { base.Events = value; }
     }
 
+    /// <summary>
+    /// Gets or sets the scheme to use for forward authentication.
+    /// </summary>
+    /// <remarks>
+    /// This is currently set as a constant to avoid adding a package dependency.
+    /// </remarks>
+    public new string ForwardAuthenticate { get; set; } = "Bearer";
+
     /// <summary>
     /// The URI to the resource metadata document.
     /// </summary>
     /// <remarks>
-    /// This URI will be included in the WWW-Authenticate header when a 401 response is returned
-    /// and Bearer authentication is supported.
+    /// This URI will be included in the WWW-Authenticate header when a 401 response is returned.
     /// </remarks>
     public Uri ResourceMetadataUri { get; set; } = DefaultResourceMetadataUri;
 
@@ -49,26 +56,6 @@ public class McpAuthenticationOptions : AuthenticationSchemeOptions
     /// </remarks>
     public Func<HttpContext, ProtectedResourceMetadata>? ResourceMetadataProvider { get; set; }
 
-    /// <summary>
-    /// Gets or sets the authentication schemes supported by this server.
-    /// </summary>
-    /// <remarks>
-    /// When set, these schemes will be included in WWW-Authenticate headers during an authentication challenge.
-    /// By default, this is empty and must be populated with the authentication schemes your server supports.
-    /// If Bearer is included, the resource metadata URI will be included in its parameters.
-    /// </remarks>
-    public List<string> SupportedAuthenticationSchemes { get; set; } = new List<string>();
-    
-    /// <summary>
-    /// Gets or sets a delegate that dynamically provides authentication schemes based on the HTTP context.
-    /// </summary>
-    /// <remarks>
-    /// When set, this delegate will be called to determine which authentication schemes to include
-    /// in WWW-Authenticate headers during an authentication challenge. This takes precedence over the static
-    /// <see cref="SupportedAuthenticationSchemes"/> property.
-    /// </remarks>
-    public Func<HttpContext, IEnumerable<string>>? SupportedAuthenticationSchemesProvider { get; set; }
-
     /// <summary>
     /// Gets the resource metadata for the current request.
     /// </summary>
@@ -83,19 +70,4 @@ internal ProtectedResourceMetadata GetResourceMetadata(HttpContext context)
 
         return ResourceMetadata;
     }
-    
-    /// <summary>
-    /// Gets the supported authentication schemes for the current request.
-    /// </summary>
-    /// <param name="context">The HTTP context for the current request.</param>
-    /// <returns>The authentication schemes supported for the current request.</returns>
-    internal IEnumerable<string> GetSupportedAuthenticationSchemes(HttpContext context)
-    {
-        if (SupportedAuthenticationSchemesProvider != null)
-        {
-            return SupportedAuthenticationSchemesProvider(context);
-        }
-
-        return SupportedAuthenticationSchemes;
-    }
 }