Stub for server implementation

Author: localden

ModelContextProtocol.sln

@@ -58,6 +58,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ModelContextProtocol.AspNet
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AuthorizationExample", "samples\AuthorizationExample\AuthorizationExample.csproj", "{C2E8E0D9-5F7B-38D8-3D5D-041471BD350C}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AuthorizationServerExample", "samples\AuthorizationServerExample\AuthorizationServerExample.csproj", "{05C500AF-9CF6-C2E7-2782-95271975A5DE}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -116,6 +118,10 @@ Global
 		{C2E8E0D9-5F7B-38D8-3D5D-041471BD350C}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{C2E8E0D9-5F7B-38D8-3D5D-041471BD350C}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{C2E8E0D9-5F7B-38D8-3D5D-041471BD350C}.Release|Any CPU.Build.0 = Release|Any CPU
+		{05C500AF-9CF6-C2E7-2782-95271975A5DE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{05C500AF-9CF6-C2E7-2782-95271975A5DE}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{05C500AF-9CF6-C2E7-2782-95271975A5DE}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{05C500AF-9CF6-C2E7-2782-95271975A5DE}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -135,6 +141,7 @@ Global
 		{37B6A5E0-9995-497D-8B43-3BC6870CC716} = {A2F1F52A-9107-4BF8-8C3F-2F6670E7D0AD}
 		{85557BA6-3D29-4C95-A646-2A972B1C2F25} = {2A77AF5C-138A-4EBB-9A13-9205DCD67928}
 		{C2E8E0D9-5F7B-38D8-3D5D-041471BD350C} = {02EA681E-C7D8-13C7-8484-4AC65E1B71E8}
+		{05C500AF-9CF6-C2E7-2782-95271975A5DE} = {02EA681E-C7D8-13C7-8484-4AC65E1B71E8}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {384A3888-751F-4D75-9AE5-587330582D89}

samples/AuthorizationExample/Program.cs

@@ -27,25 +27,23 @@ public static async Task Main(string[] args)
              )
         };
 
-        try
-        {
-            // Create the client with authorization-enabled transport
-            var transport = new SseClientTransport(transportOptions);
-            var client = await McpClientFactory.CreateAsync(transport);
+        // Create the client with authorization-enabled transport
+        var transport = new SseClientTransport(transportOptions);
+        var client = await McpClientFactory.CreateAsync(transport);
 
-            // Print the list of tools available from the server.
-            foreach (var tool in await client.ListToolsAsync())
-            {
-                Console.WriteLine($"{tool.Name} ({tool.Description})");
-            }
+        // Print the list of tools available from the server.
+        foreach (var tool in await client.ListToolsAsync())
+        {
+            Console.WriteLine($"{tool.Name} ({tool.Description})");
+        }
 
-            // Execute a tool (this would normally be driven by LLM tool invocations).
-            var result = await client.CallToolAsync(
-                "echo",
-                new Dictionary<string, object?>() { ["message"] = "Hello MCP!" },
-                cancellationToken: CancellationToken.None);
+        // Execute a tool (this would normally be driven by LLM tool invocations).
+        var result = await client.CallToolAsync(
+            "echo",
+            new Dictionary<string, object?>() { ["message"] = "Hello MCP!" },
+            cancellationToken: CancellationToken.None);
 
-            // echo always returns one and only one text content object
-            Console.WriteLine(result.Content.First(c => c.Type == "text").Text);
-        }
+        // echo always returns one and only one text content object
+        Console.WriteLine(result.Content.First(c => c.Type == "text").Text);
+    }
 }

samples/AuthorizationServerExample/AuthorizationServerExample.csproj

@@ -0,0 +1,15 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net8.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\ModelContextProtocol\ModelContextProtocol.csproj" />
+    <ProjectReference Include="..\..\src\ModelContextProtocol.AspNetCore\ModelContextProtocol.AspNetCore.csproj" />
+  </ItemGroup>
+
+</Project>

samples/AuthorizationServerExample/Program.cs

@@ -0,0 +1,139 @@
+using Microsoft.AspNetCore.Builder;
+using ModelContextProtocol;
+using ModelContextProtocol.AspNetCore;
+using ModelContextProtocol.Protocol.Auth;
+using ModelContextProtocol.Protocol.Types;
+using ModelContextProtocol.Server.Auth;
+using System.Text.Json;
+
+namespace AuthorizationServerExample;
+
+/// <summary>
+/// Example demonstrating how to implement authorization in an MCP server.
+/// </summary>
+public class Program
+{
+    public static async Task Main(string[] args)
+    {
+        Console.WriteLine("=== MCP Server with Authorization Support ===");
+        Console.WriteLine("This example demonstrates how to implement OAuth authorization in an MCP server.");
+        Console.WriteLine();
+
+        var builder = WebApplication.CreateBuilder(args);
+        
+        // 1. Define the Protected Resource Metadata for the server
+        // This is the information that will be provided to clients when they need to authenticate
+        var prm = new ProtectedResourceMetadata
+        {
+            Resource = "https://localhost:7071", // The resource identifier (typically your server's base URL)
+            AuthorizationServers = ["https://auth.example.com"], // Auth servers that can issue tokens for this resource
+            BearerMethodsSupported = ["header"], // We support the Authorization header
+            ScopesSupported = ["mcp.tools", "mcp.prompts", "mcp.resources"], // Scopes supported by this resource
+            ResourceDocumentation = "https://example.com/docs/mcp-server-auth" // Optional documentation URL
+        };
+
+        // 2. Define a token validator function
+        // This function receives the token from the Authorization header and should validate it
+        // In a real application, this would verify the token with your identity provider
+        async Task<bool> ValidateToken(string token)
+        {
+            // For demo purposes, we'll accept any token that starts with "valid_"
+            // In production, you would validate the token with your identity provider
+            var isValid = token.StartsWith("valid_", StringComparison.OrdinalIgnoreCase);
+            Console.WriteLine($"Token validation result: {(isValid ? "Valid" : "Invalid")}");
+            return isValid;
+        }
+
+        // 3. Create an authorization provider with the PRM and token validator
+        var authProvider = new SimpleServerAuthorizationProvider(prm, ValidateToken);
+
+        // 4. Configure the MCP server with authorization
+        builder.Services.AddMcpServer(options =>
+            {
+                options.ServerInstructions = "This is an MCP server with OAuth authorization enabled.";
+                
+                // Configure regular server capabilities like tools, prompts, resources
+                options.Capabilities = new()
+                {
+                    Tools = new()
+                    {
+                        // Simple Echo tool
+                        
+                        CallToolHandler = (request, cancellationToken) =>
+                        {
+                            if (request.Params?.Name == "echo")
+                            {
+                                if (request.Params.Arguments?.TryGetValue("message", out var message) is not true)
+                                {
+                                    throw new McpException("Missing required argument 'message'");
+                                }
+
+                                return new ValueTask<CallToolResponse>(new CallToolResponse()
+                                {
+                                    Content = [new Content() { Text = $"Echo: {message}", Type = "text" }]
+                                });
+                            }
+                            
+                            // Protected tool that requires authorization
+                            if (request.Params?.Name == "protected-data")
+                            {
+                                // This tool will only be accessible to authenticated clients
+                                return new ValueTask<CallToolResponse>(new CallToolResponse()
+                                {
+                                    Content = [new Content() { Text = "This is protected data that only authorized clients can access" }]
+                                });
+                            }
+
+                            throw new McpException($"Unknown tool: '{request.Params?.Name}'");
+                        },
+                        
+                        ListToolsHandler = async (_, _) => new()
+                        {
+                            Tools = 
+                            [
+                                new() 
+                                { 
+                                    Name = "echo", 
+                                    Description = "Echoes back the message you send" 
+                                },
+                                new()
+                                {
+                                    Name = "protected-data",
+                                    Description = "Returns protected data that requires authorization"
+                                }
+                            ]
+                        }
+                    }
+                };
+            })
+            .WithAuthorization(authProvider)  // Enable authorization with our provider
+            .WithHttpTransport();             // Configure HTTP transport
+
+        var app = builder.Build();
+        
+        // 5. Enable authorization middleware (this must be before MapMcp)
+        // This middleware does several things:
+        // - Serves the PRM document at /.well-known/oauth-protected-resource
+        // - Checks Authorization header on requests
+        // - Returns 401 + WWW-Authenticate when authorization is missing or invalid
+        app.UseMcpAuthorization();
+        
+        // 6. Map MCP endpoints
+        app.MapMcp();
+        
+        // Configure the server URL
+        app.Urls.Add("https://localhost:7071");
+        
+        Console.WriteLine("Starting MCP server with authorization at https://localhost:7071");
+        Console.WriteLine("PRM Document URL: https://localhost:7071/.well-known/oauth-protected-resource");
+        Console.WriteLine();
+        Console.WriteLine("To test the server:");
+        Console.WriteLine("1. Use an MCP client that supports authorization");
+        Console.WriteLine("2. When prompted for authorization, enter 'valid_token' to gain access");
+        Console.WriteLine("3. Any other token value will be rejected with a 401 Unauthorized");
+        Console.WriteLine();
+        Console.WriteLine("Press Ctrl+C to stop the server");
+        
+        await app.RunAsync();
+    }
+}

samples/AuthorizationServerExample/Properties/launchSettings.json

@@ -0,0 +1,12 @@
+{
+  "profiles": {
+    "AuthorizationServerExample": {
+      "commandName": "Project",
+      "launchBrowser": true,
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      },
+      "applicationUrl": "https://localhost:50481;http://localhost:50482"
+    }
+  }
+}

src/ModelContextProtocol.AspNetCore/McpAuthorizationExtensions.cs

@@ -0,0 +1,21 @@
+using Microsoft.AspNetCore.Builder;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace ModelContextProtocol.AspNetCore;
+
+/// <summary>
+/// Extension methods for using MCP authorization in ASP.NET Core applications.
+/// </summary>
+public static class McpAuthorizationExtensions
+{
+    /// <summary>
+    /// Adds MCP authorization middleware to the specified <see cref="IApplicationBuilder"/>, which enables
+    /// OAuth 2.0 authorization for MCP servers.
+    /// </summary>
+    /// <param name="builder">The <see cref="IApplicationBuilder"/> to add the middleware to.</param>
+    /// <returns>A reference to this instance after the operation has completed.</returns>
+    public static IApplicationBuilder UseMcpAuthorization(this IApplicationBuilder builder)
+    {
+        return builder.UseMiddleware<McpAuthorizationMiddleware>();
+    }
+}

src/ModelContextProtocol.AspNetCore/McpAuthorizationMiddleware.cs

@@ -0,0 +1,113 @@
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using ModelContextProtocol.Protocol.Auth;
+using ModelContextProtocol.Protocol.Types;
+using ModelContextProtocol.Server;
+using ModelContextProtocol.Utils.Json;
+using System.Text.Json;
+
+namespace ModelContextProtocol.AspNetCore;
+
+/// <summary>
+/// Middleware that handles authorization for MCP servers.
+/// </summary>
+internal class McpAuthorizationMiddleware
+{
+    private readonly RequestDelegate _next;
+    private readonly ILogger<McpAuthorizationMiddleware> _logger;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="McpAuthorizationMiddleware"/> class.
+    /// </summary>
+    /// <param name="next">The next middleware in the pipeline.</param>
+    /// <param name="logger">The logger factory.</param>
+    public McpAuthorizationMiddleware(RequestDelegate next, ILogger<McpAuthorizationMiddleware> logger)
+    {
+        _next = next ?? throw new ArgumentNullException(nameof(next));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    /// <summary>
+    /// Processes a request.
+    /// </summary>
+    /// <param name="context">The HTTP context.</param>
+    /// <param name="serverOptions">The MCP server options.</param>
+    /// <returns>A <see cref="Task"/> representing the asynchronous operation.</returns>
+    public async Task InvokeAsync(HttpContext context, IOptions<McpServerOptions> serverOptions)
+    {
+        // Check if authorization is configured
+        var authCapability = serverOptions.Value.Capabilities?.Authorization;
+        var authProvider = authCapability?.AuthorizationProvider;
+
+        if (authProvider == null)
+        {
+            // Authorization is not configured, proceed to the next middleware
+            await _next(context);
+            return;
+        }
+
+        // Handle the PRM document endpoint
+        if (context.Request.Path.StartsWithSegments("/.well-known/oauth-protected-resource"))
+        {
+            _logger.LogDebug("Serving Protected Resource Metadata document");
+            context.Response.ContentType = "application/json";
+            await JsonSerializer.SerializeAsync(
+                context.Response.Body, 
+                authProvider.GetProtectedResourceMetadata(),
+                McpJsonUtilities.DefaultOptions.GetTypeInfo(typeof(ProtectedResourceMetadata)));
+            return;
+        }
+
+        // Serve SSE and message endpoints with authorization
+        if (context.Request.Path.StartsWithSegments("/sse") || 
+            (context.Request.Path.Value?.EndsWith("/message") == true))
+        {
+            // Check if the Authorization header is present
+            if (!context.Request.Headers.TryGetValue("Authorization", out var authHeader) || string.IsNullOrEmpty(authHeader))
+            {
+                // No Authorization header present, return 401 Unauthorized
+                var prm = authProvider.GetProtectedResourceMetadata();
+                var prmUrl = GetPrmUrl(context, prm.Resource);
+                
+                _logger.LogDebug("Authorization required, returning 401 Unauthorized with WWW-Authenticate header");
+                context.Response.StatusCode = StatusCodes.Status401Unauthorized;
+                context.Response.Headers.Append("WWW-Authenticate", $"Bearer resource_metadata=\"{prmUrl}\"");
+                return;
+            }
+
+            // Validate the token - ensuring authHeader is a non-null string
+            string authHeaderValue = authHeader.ToString();
+            bool isValid = await authProvider.ValidateTokenAsync(authHeaderValue);
+            if (!isValid)
+            {
+                // Invalid token, return 401 Unauthorized
+                var prm = authProvider.GetProtectedResourceMetadata();
+                var prmUrl = GetPrmUrl(context, prm.Resource);
+                
+                _logger.LogDebug("Invalid authorization token, returning 401 Unauthorized");
+                context.Response.StatusCode = StatusCodes.Status401Unauthorized;
+                context.Response.Headers.Append("WWW-Authenticate", $"Bearer resource_metadata=\"{prmUrl}\"");
+                return;
+            }
+        }
+
+        // Token is valid or endpoint doesn't require authentication, proceed to the next middleware
+        await _next(context);
+    }
+
+    private static string GetPrmUrl(HttpContext context, string resourceUri)
+    {
+        // Use the actual resource URI from PRM if it's an absolute URL, otherwise build the URL
+        if (Uri.TryCreate(resourceUri, UriKind.Absolute, out _))
+        {
+            return $"{resourceUri.TrimEnd('/')}/.well-known/oauth-protected-resource";
+        }
+
+        // Build the URL from the current request
+        var request = context.Request;
+        var scheme = request.Scheme;
+        var host = request.Host.Value;
+        return $"{scheme}://{host}/.well-known/oauth-protected-resource";
+    }
+}