Update server configuration

Author: localden

samples/ProtectedMCPServer/Program.cs

@@ -1,6 +1,7 @@
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.IdentityModel.Tokens;
 using ModelContextProtocol.AspNetCore.Auth;
+using ModelContextProtocol.Auth.Types;
 using ProtectedMCPServer.Tools;
 using System.Net.Http.Headers;
 using System.Security.Claims;
@@ -67,11 +68,21 @@
 })
 .AddMcp(options =>
 {
-    // Configure the MCP authentication with the same Entra ID server
-    options.ResourceMetadata.AuthorizationServers.Add(new Uri($"{instance}{tenantId}/v2.0"));
-    options.ResourceMetadata.BearerMethodsSupported.Add("header");
-    options.ResourceMetadata.ScopesSupported.AddRange(["api://167b4284-3f92-4436-92ed-38b38f83ae08/weather.read"]);
-    options.ResourceMetadata.ResourceDocumentation = new Uri("https://docs.example.com/api/weather");
+    options.ResourceMetadataProvider = context => 
+    {
+        var metadata = new ProtectedResourceMetadata
+        {
+            BearerMethodsSupported = { "header" },
+            ResourceDocumentation = new Uri("https://docs.example.com/api/weather"),
+            AuthorizationServers = { new Uri($"{instance}{tenantId}/v2.0") }
+        };
+
+        metadata.ScopesSupported.AddRange(new[] {
+            "api://167b4284-3f92-4436-92ed-38b38f83ae08/weather.read" 
+        });
+        
+        return metadata;
+    };
 });
 
 // Add authorization services
@@ -104,15 +115,18 @@
 
 Console.WriteLine("Starting MCP server with authorization at http://localhost:7071");
 Console.WriteLine("PRM Document URL: http://localhost:7071/.well-known/oauth-protected-resource");
+Console.WriteLine("  - This endpoint returns different metadata based on the client type!");
+Console.WriteLine("  - Try with different User-Agent headers or add ?mobile query parameter");
 
 Console.WriteLine();
 Console.WriteLine("Entra ID (Azure AD) JWT token validation is configured");
 Console.WriteLine();
-Console.WriteLine("To test the server:");
-Console.WriteLine("1. Use an MCP client that supports OAuth flow with Microsoft Entra ID");
-Console.WriteLine("2. The client should obtain a token for audience: api://weather-api");
-Console.WriteLine("3. The token should be issued by Microsoft Entra ID tenant: " + tenantId);
-Console.WriteLine("4. Include this token in the Authorization header of requests");
+Console.WriteLine("To test the server with different client types:");
+Console.WriteLine("1. Standard client: No special headers needed");
+Console.WriteLine("2. Mobile client: Add 'mobile' in User-Agent or use ?mobile query parameter");
+Console.WriteLine("3. Partner client: Include 'partner' in User-Agent or add X-Partner-API header");
+Console.WriteLine();
+Console.WriteLine("Each client type will receive different authorization requirements!");
 Console.WriteLine();
 Console.WriteLine("Press Ctrl+C to stop the server");
 

src/ModelContextProtocol.AspNetCore/Auth/McpAuthenticationHandler.cs

@@ -82,14 +82,18 @@ private string GetAbsoluteResourceMetadataUri()
     /// </summary>
     private async Task HandleResourceMetadataRequestAsync()
     {
-        // Get a copy of the resource metadata from options to avoid modifying the original
+        // Get resource metadata from options, using the dynamic provider if available
         var options = _optionsMonitor.CurrentValue;
+        var resourceMetadata = options.GetResourceMetadata(Request.HttpContext);
+        
+        // Create a copy to avoid modifying the original
         var metadata = new ProtectedResourceMetadata
         {
-            AuthorizationServers = [.. options.ResourceMetadata.AuthorizationServers],
-            BearerMethodsSupported = [.. options.ResourceMetadata.BearerMethodsSupported],
-            ScopesSupported = [.. options.ResourceMetadata.ScopesSupported],
-            ResourceDocumentation = options.ResourceMetadata.ResourceDocumentation
+            AuthorizationServers = [.. resourceMetadata.AuthorizationServers],
+            BearerMethodsSupported = [.. resourceMetadata.BearerMethodsSupported],
+            ScopesSupported = [.. resourceMetadata.ScopesSupported],
+            ResourceDocumentation = resourceMetadata.ResourceDocumentation,
+            Resource = resourceMetadata.Resource
         };
 
         // Set default resource if not set
@@ -130,7 +134,7 @@ protected override Task HandleChallengeAsync(AuthenticationProperties properties
 
         // Set the WWW-Authenticate header with the resource_metadata
         string headerValue = $"Bearer realm=\"{Scheme.Name}\"";
-        headerValue += $", resource_metadata=\"{Uri.EscapeDataString(rawPrmDocumentUri)}\"";
+        headerValue += $", resource_metadata=\"{rawPrmDocumentUri}\"";
 
         Response.Headers["WWW-Authenticate"] = headerValue;
 

src/ModelContextProtocol.AspNetCore/Auth/McpAuthenticationOptions.cs

@@ -1,4 +1,5 @@
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
 using ModelContextProtocol.Auth.Types;
 
 namespace ModelContextProtocol.AspNetCore.Auth;
@@ -28,11 +29,37 @@ public class McpAuthenticationOptions : AuthenticationSchemeOptions
     public Uri ResourceMetadataUri { get; set; } = DefaultResourceMetadataUri;
 
     /// <summary>
-    /// Gets or sets the protected resource metadata.
+    /// Gets or sets the static protected resource metadata.
     /// </summary>
     /// <remarks>
     /// This contains the OAuth metadata for the protected resource, including authorization servers,
     /// supported scopes, and other information needed for clients to authenticate.
+    /// This property is used when <see cref="ResourceMetadataProvider"/> is not set.
     /// </remarks>
     public ProtectedResourceMetadata ResourceMetadata { get; set; } = new ProtectedResourceMetadata();
+
+    /// <summary>
+    /// Gets or sets a delegate that dynamically provides resource metadata based on the HTTP context.
+    /// </summary>
+    /// <remarks>
+    /// When set, this delegate will be called to generate resource metadata for each request,
+    /// allowing dynamic customization based on the caller or other contextual information.
+    /// This takes precedence over the static <see cref="ResourceMetadata"/> property.
+    /// </remarks>
+    public Func<HttpContext, ProtectedResourceMetadata>? ResourceMetadataProvider { get; set; }
+
+    /// <summary>
+    /// Gets the resource metadata for the current request.
+    /// </summary>
+    /// <param name="context">The HTTP context for the current request.</param>
+    /// <returns>The resource metadata to use for the current request.</returns>
+    internal ProtectedResourceMetadata GetResourceMetadata(HttpContext context)
+    {
+        if (ResourceMetadataProvider != null)
+        {
+            return ResourceMetadataProvider(context);
+        }
+
+        return ResourceMetadata;
+    }
 }