Iterating on the changes

Author: localden

samples/AuthorizationExample/Program.cs

@@ -1,5 +1,6 @@
 using System.Diagnostics;
 using ModelContextProtocol.Client;
+using ModelContextProtocol.Protocol.Auth;
 using ModelContextProtocol.Protocol.Transport;
 
 namespace AuthorizationExample;
@@ -14,35 +15,76 @@ public static async Task Main(string[] args)
         // Define the MCP server endpoint that requires OAuth authentication
         var serverEndpoint = new Uri("http://localhost:7071/sse");
 
+        // Configuration values for OAuth redirect
+        string hostname = "localhost";
+        int port = 8888;
+        string callbackPath = "/oauth/callback";
+
         // Set up the SSE transport with authorization support
         var transportOptions = new SseClientTransportOptions
         {
             Endpoint = serverEndpoint,
-            AuthorizeCallback = SseClientTransport.CreateLocalServerAuthorizeCallback(
-                 openBrowser: async (url) =>
-                 {
-                     Process.Start(new ProcessStartInfo(url) { UseShellExecute = true });
-                 }
-             )
+            AuthorizationOptions = new McpAuthorizationOptions
+            {
+                // Pre-registered client credentials (if applicable)
+                ClientId = "my-registered-client-id",
+                ClientSecret = "optional-client-secret",
+                
+                // Specify the exact same redirect URIs that are registered with the OAuth server
+                RedirectUris = new[] 
+                { 
+                    $"http://{hostname}:{port}{callbackPath}" 
+                },
+
+                // Configure the authorize callback with the same hostname, port, and path
+                AuthorizeCallback = SseClientTransport.CreateHttpListenerAuthorizeCallback(
+                    openBrowser: async (url) =>
+                    {
+                        Console.WriteLine($"Opening browser to authorize at: {url}");
+                        Process.Start(new ProcessStartInfo(url) { UseShellExecute = true });
+                    },
+                    hostname: hostname,
+                    listenPort: port,
+                    redirectPath: callbackPath,
+                    successHtml: "<html><body><h1>Authorization Successful</h1><p>You have successfully authorized the application. You can close this window and return to the app.</p><script>window.close();</script></body></html>"
+                )
+            }
         };
 
-        // Create the client with authorization-enabled transport
-        var transport = new SseClientTransport(transportOptions);
-        var client = await McpClientFactory.CreateAsync(transport);
-
-        // Print the list of tools available from the server.
-        foreach (var tool in await client.ListToolsAsync())
+        Console.WriteLine("Connecting to MCP server...");
+        
+        try
         {
-            Console.WriteLine($"{tool.Name} ({tool.Description})");
-        }
+            // Create the client with authorization-enabled transport
+            var transport = new SseClientTransport(transportOptions);
+            var client = await McpClientFactory.CreateAsync(transport);
 
-        // Execute a tool (this would normally be driven by LLM tool invocations).
-        var result = await client.CallToolAsync(
-            "echo",
-            new Dictionary<string, object?>() { ["message"] = "Hello MCP!" },
-            cancellationToken: CancellationToken.None);
+            Console.WriteLine("Successfully connected and authorized!");
+            
+            // Print the list of tools available from the server.
+            Console.WriteLine("\nAvailable tools:");
+            foreach (var tool in await client.ListToolsAsync())
+            {
+                Console.WriteLine($"  - {tool.Name}: {tool.Description}");
+            }
 
-        // echo always returns one and only one text content object
-        Console.WriteLine(result.Content.First(c => c.Type == "text").Text);
+            // Execute a tool (this would normally be driven by LLM tool invocations).
+            Console.WriteLine("\nCalling 'echo' tool...");
+            var result = await client.CallToolAsync(
+                "echo",
+                new Dictionary<string, object?>() { ["message"] = "Hello MCP!" },
+                cancellationToken: CancellationToken.None);
+
+            // echo always returns one and only one text content object
+            Console.WriteLine($"Tool response: {result.Content.First(c => c.Type == "text").Text}");
+        }
+        catch (Exception ex)
+        {
+            Console.WriteLine($"Error: {ex.Message}");
+            if (ex.InnerException != null)
+            {
+                Console.WriteLine($"Inner Error: {ex.InnerException.Message}");
+            }
+        }
     }
 }

src/ModelContextProtocol/Protocol/Auth/DefaultAuthorizationHandler.cs

@@ -15,18 +15,40 @@ internal class DefaultAuthorizationHandler : IAuthorizationHandler
     private readonly ILogger _logger;
     private readonly SynchronizedValue<AuthorizationContext> _authContext = new(new AuthorizationContext());
     private readonly Func<ClientMetadata, Task<(string RedirectUri, string Code)>>? _authorizeCallback;
+    private readonly string? _clientId;
+    private readonly string? _clientSecret;
+    private readonly ICollection<string>? _redirectUris;
+    private readonly ICollection<string>? _scopes;
 
     /// <summary>
     /// Initializes a new instance of the <see cref="DefaultAuthorizationHandler"/> class.
     /// </summary>
     /// <param name="loggerFactory">The logger factory.</param>
-    /// <param name="authorizeCallback">A callback function that handles the authorization code flow.</param>
-    public DefaultAuthorizationHandler(ILoggerFactory? loggerFactory = null, Func<ClientMetadata, Task<(string RedirectUri, string Code)>>? authorizeCallback = null)
+    /// <param name="options">The authorization options.</param>
+    public DefaultAuthorizationHandler(ILoggerFactory? loggerFactory = null, McpAuthorizationOptions? options = null)
     {
         _logger = loggerFactory != null 
             ? loggerFactory.CreateLogger<DefaultAuthorizationHandler>() 
             : NullLogger<DefaultAuthorizationHandler>.Instance;
-        _authorizeCallback = authorizeCallback;
+        
+        if (options != null)
+        {
+            _authorizeCallback = options.AuthorizeCallback;
+            _clientId = options.ClientId;
+            _clientSecret = options.ClientSecret;
+            _redirectUris = options.RedirectUris;
+            _scopes = options.Scopes;
+        }
+    }
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="DefaultAuthorizationHandler"/> class.
+    /// </summary>
+    /// <param name="loggerFactory">The logger factory.</param>
+    /// <param name="authorizeCallback">A callback function that handles the authorization code flow.</param>
+    public DefaultAuthorizationHandler(ILoggerFactory? loggerFactory = null, Func<ClientMetadata, Task<(string RedirectUri, string Code)>>? authorizeCallback = null)
+        : this(loggerFactory, new McpAuthorizationOptions { AuthorizeCallback = authorizeCallback })
+    {
     }
 
     /// <inheritdoc />
@@ -110,26 +132,43 @@ public async Task<bool> HandleUnauthorizedResponseAsync(HttpResponseMessage resp
             _logger.LogDebug("Successfully retrieved authorization server metadata");
 
             // Create client metadata
+            string[] redirectUris = _redirectUris?.ToArray() ?? new[] { "http://localhost:8888/callback" };
             var clientMetadata = new ClientMetadata
             {
-                RedirectUris = new[] { "http://localhost:8888/callback" }, // Default redirect URI
+                RedirectUris = redirectUris,
                 ClientName = "MCP C# SDK Client",
-                Scope = string.Join(" ", resourceMetadata.ScopesSupported ?? Array.Empty<string>())
+                Scope = string.Join(" ", _scopes ?? resourceMetadata.ScopesSupported ?? Array.Empty<string>())
             };
-
-            // Register client if the server supports it
-            if (authServerMetadata.RegistrationEndpoint != null)
+            
+            // Register client if needed, or use pre-configured client ID
+            if (!string.IsNullOrEmpty(_clientId))
+            {                
+                _logger.LogDebug("Using pre-configured client ID: {ClientId}", _clientId);
+                
+                // Create a client registration response to store in the context
+                var clientRegistration = new ClientRegistrationResponse
+                {
+                    ClientId = _clientId!, // Using null-forgiving operator since we've already checked it's not null
+                    ClientSecret = _clientSecret,
+                };
+                
+                authContext.Value.ClientRegistration = clientRegistration;
+            }
+            else if (authServerMetadata.RegistrationEndpoint != null)
             {
+                // Register client dynamically
                 _logger.LogDebug("Registering client with authorization server");
                 var clientRegistration = await AuthorizationService.RegisterClientAsync(authServerMetadata, clientMetadata);
                 authContext.Value.ClientRegistration = clientRegistration;
                 _logger.LogDebug("Client registered successfully with ID: {ClientId}", clientRegistration.ClientId);
             }
             else
             {
-                _logger.LogWarning("Authorization server does not support dynamic client registration");
+                _logger.LogWarning("Authorization server does not support dynamic client registration and no client ID was provided");
 
-                var exception = new McpAuthorizationException("Authorization server does not support dynamic client registration");
+                var exception = new McpAuthorizationException(
+                    "Authorization server does not support dynamic client registration and no client ID was provided. " +
+                    "Use McpAuthorizationOptions.ClientId to provide a pre-registered client ID.");
                 exception.ResourceUri = resourceMetadata.Resource;
                 exception.AuthorizationServerUri = authServerUrl;
                 throw exception;
@@ -142,7 +181,7 @@ public async Task<bool> HandleUnauthorizedResponseAsync(HttpResponseMessage resp
 
                 var exception = new McpAuthorizationException(
                     "Authentication is required but no authorization callback was provided. " +
-                    "Use SseClientTransportOptions.AuthorizeCallback to provide a callback function.");
+                    "Use McpAuthorizationOptions.AuthorizeCallback to provide a callback function.");
                 exception.ResourceUri = resourceMetadata.Resource;
                 exception.AuthorizationServerUri = authServerUrl;
                 throw exception;
@@ -155,18 +194,18 @@ public async Task<bool> HandleUnauthorizedResponseAsync(HttpResponseMessage resp
             // Initiate authorization code flow
             _logger.LogDebug("Initiating authorization code flow");
 
-            // Get the registered client ID
-            var clientId = authContext.Value.ClientRegistration!.ClientId;
-            
             // Get the authorization URL that the user needs to visit
             var authUrl = AuthorizationService.CreateAuthorizationUrl(
                 authServerMetadata,
-                clientId,
+                authContext.Value.ClientRegistration.ClientId,
                 clientMetadata.RedirectUris[0],
                 codeChallenge,
-                resourceMetadata.ScopesSupported);
+                _scopes?.ToArray() ?? resourceMetadata.ScopesSupported);
 
             _logger.LogDebug("Authorization URL: {AuthUrl}", authUrl);
+            
+            // Set the authorization URL in the client metadata
+            clientMetadata.ClientUri = authUrl;
 
             // Let the callback handle the user authorization
             var (redirectUri, code) = await _authorizeCallback(clientMetadata);
@@ -176,7 +215,7 @@ public async Task<bool> HandleUnauthorizedResponseAsync(HttpResponseMessage resp
             _logger.LogDebug("Exchanging authorization code for tokens");
             var tokenResponse = await AuthorizationService.ExchangeCodeForTokensAsync(
                 authServerMetadata,
-                clientId,
+                authContext.Value.ClientRegistration.ClientId,
                 authContext.Value.ClientRegistration.ClientSecret,
                 redirectUri,
                 code,

src/ModelContextProtocol/Protocol/Auth/McpAuthorizationOptions.cs

@@ -0,0 +1,81 @@
+using System;
+using System.Collections.Generic;
+
+namespace ModelContextProtocol.Protocol.Auth;
+
+/// <summary>
+/// Provides authorization options for MCP clients.
+/// </summary>
+public class McpAuthorizationOptions
+{
+    /// <summary>
+    /// Gets or sets a delegate that handles the OAuth 2.0 authorization code flow.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// This delegate is called when the server requires OAuth 2.0 authorization. It receives the client metadata
+    /// and should return the redirect URI and authorization code received from the authorization server.
+    /// </para>
+    /// <para>
+    /// If not provided, the client will not be able to authenticate with servers that require OAuth authentication.
+    /// </para>
+    /// </remarks>
+    public Func<ClientMetadata, Task<(string RedirectUri, string Code)>>? AuthorizeCallback { get; init; }
+
+    /// <summary>
+    /// Gets or sets the client ID to use for OAuth authorization.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// If specified, this client ID will be used during the OAuth flow instead of performing dynamic client registration.
+    /// This is useful when connecting to servers that have pre-registered clients.
+    /// </para>
+    /// </remarks>
+    public string? ClientId { get; init; }
+
+    /// <summary>
+    /// Gets or sets the client secret associated with the client ID.
+    /// </summary>
+    /// <remarks>
+    /// This is only required if the client was registered as a confidential client with the authorization server.
+    /// Public clients don't require a client secret.
+    /// </remarks>
+    public string? ClientSecret { get; init; }
+
+    /// <summary>
+    /// Gets or sets the redirect URIs that can be used during the OAuth authorization flow.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// These URIs must match the redirect URIs registered with the authorization server for the client.
+    /// </para>
+    /// <para>
+    /// If not specified and <see cref="ClientId"/> is set, a default value of
+    /// "http://localhost:8888/callback" will be used.
+    /// </para>
+    /// </remarks>
+    public ICollection<string>? RedirectUris { get; init; }
+
+    /// <summary>
+    /// Gets or sets the scopes to request during OAuth authorization.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// If not specified, the scopes will be determined from the server's resource metadata.
+    /// </para>
+    /// </remarks>
+    public ICollection<string>? Scopes { get; init; }
+
+    /// <summary>
+    /// Gets or sets a custom authorization handler.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// If specified, this handler will be used to manage authorization with the server.
+    /// </para>
+    /// <para>
+    /// If not provided, a default handler will be created using the other options.
+    /// </para>
+    /// </remarks>
+    public IAuthorizationHandler? AuthorizationHandler { get; init; }
+}

src/ModelContextProtocol/Protocol/Transport/SseClientSessionTransport.cs

@@ -50,8 +50,16 @@ public SseClientSessionTransport(SseClientTransportOptions transportOptions, Htt
         _connectionEstablished = new TaskCompletionSource<bool>(TaskCreationOptions.RunContinuationsAsynchronously);
 
         // Initialize the authorization handler
-        _authorizationHandler = transportOptions.AuthorizationHandler ?? 
-                               new DefaultAuthorizationHandler(loggerFactory, transportOptions.AuthorizeCallback);
+        if (transportOptions.AuthorizationOptions?.AuthorizationHandler != null)
+        {
+            // Use explicitly provided handler
+            _authorizationHandler = transportOptions.AuthorizationOptions.AuthorizationHandler;
+        }
+        else
+        {
+            // Create default handler with auth options
+            _authorizationHandler = new DefaultAuthorizationHandler(loggerFactory, transportOptions.AuthorizationOptions);
+        }
     }
 
     /// <inheritdoc/>