Policy setup

localden · localden · commit 67342cd28ffc · 2025-05-03T14:09:58.000-07:00
diff --git a/samples/ProtectedMCPServer/Program.cs b/samples/ProtectedMCPServer/Program.cs
@@ -77,7 +77,10 @@
 // Add authorization services
 builder.Services.AddAuthorization(options =>
 {
-    options.AddMcpPolicy();
+    // Modify the MCP policy to include both MCP and JWT Bearer schemes
+    // This ensures the bearer token is properly authenticated while maintaining MCP for challenges
+    options.AddMcpPolicy(configurePolicy: builder => 
+        builder.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme));
 });
 
 // Configure MCP Server
diff --git a/src/ModelContextProtocol.AspNetCore/Auth/McpAuthenticationHandler.cs b/src/ModelContextProtocol.AspNetCore/Auth/McpAuthenticationHandler.cs
@@ -47,6 +47,36 @@ public async Task<bool> HandleRequestAsync()
         return true;
     }
 
+    /// <summary>
+    /// Gets the base URL from the current request, including scheme, host, and path base.
+    /// </summary>
+    private string GetBaseUrl() => $"{Request.Scheme}://{Request.Host}{Request.PathBase}";
+
+    /// <summary>
+    /// Gets the absolute URI for the resource metadata endpoint.
+    /// </summary>
+    private string GetAbsoluteResourceMetadataUri()
+    {
+        var options = _optionsMonitor.CurrentValue;
+        var resourceMetadataUri = options.ResourceMetadataUri;
+        
+        if (resourceMetadataUri.IsAbsoluteUri)
+        {
+            return resourceMetadataUri.ToString();
+        }
+        
+        // For relative URIs, combine with the base URL
+        string baseUrl = GetBaseUrl();
+        string resourceMetadataPath = resourceMetadataUri.ToString();
+        
+        if (!Uri.TryCreate(baseUrl + resourceMetadataPath, UriKind.Absolute, out var absoluteUri))
+        {
+            throw new InvalidOperationException("Could not create absolute URI for resource metadata.");
+        }
+        
+        return absoluteUri.ToString();
+    }
+
     /// <summary>
     /// Handles the resource metadata request.
     /// </summary>
@@ -65,10 +95,7 @@ private async Task HandleResourceMetadataRequestAsync()
         // Set default resource if not set
         if (metadata.Resource == null)
         {
-            var request = Request;
-            var hostString = request.Host.Value;
-            var scheme = request.Scheme;
-            metadata.Resource = new Uri($"{scheme}://{hostString}");
+            metadata.Resource = new Uri(GetBaseUrl());
         }
         
         Response.StatusCode = StatusCodes.Status200OK;
@@ -95,29 +122,8 @@ protected override Task HandleChallengeAsync(AuthenticationProperties properties
         // Set the response status code
         Response.StatusCode = StatusCodes.Status401Unauthorized;
 
-        // Get the current options to ensure we have the latest values
-        var options = _optionsMonitor.CurrentValue;
-        
-        // Generate the full resource metadata URL based on the current request
-        var baseUrl = $"{Request.Scheme}://{Request.Host}";
-        
-        string resourceMetadataUriString = options.ResourceMetadataUri.ToString();
-        string rawPrmDocumentUri;
-        
-        // Check if the URI is relative or absolute
-        if (options.ResourceMetadataUri.IsAbsoluteUri)
-        {
-            rawPrmDocumentUri = resourceMetadataUriString;
-        }
-        else
-        {
-            // For relative URIs, combine with the base URL
-            if (!Uri.TryCreate(baseUrl + resourceMetadataUriString, UriKind.Absolute, out var absoluteUri))
-            {
-                throw new InvalidOperationException("Could not create absolute URI for resource metadata.");
-            }
-            rawPrmDocumentUri = absoluteUri.ToString();
-        }
+        // Get the absolute URI for the resource metadata
+        string rawPrmDocumentUri = GetAbsoluteResourceMetadataUri();
 
         // Initialize properties if null
         properties ??= new AuthenticationProperties();
diff --git a/src/ModelContextProtocol.AspNetCore/Auth/McpAuthorizationPolicyExtensions.cs b/src/ModelContextProtocol.AspNetCore/Auth/McpAuthorizationPolicyExtensions.cs
@@ -33,4 +33,38 @@ public static AuthorizationOptions AddMcpPolicy(
 
         return options;
     }
+
+    /// <summary>
+    /// Adds a preconfigured MCP policy that includes additional authentication schemes.
+    /// </summary>
+    /// <param name="options">The authorization options.</param>
+    /// <param name="additionalSchemes">Additional authentication schemes to include in the policy.</param>
+    /// <param name="policyName">The name of the policy to add. Default is <see cref="McpAuthenticationDefaults.AuthenticationScheme"/>.</param>
+    /// <param name="configurePolicy">An optional action to further configure the policy builder.</param>
+    /// <returns>The authorization options for chaining.</returns>
+    public static AuthorizationOptions AddMcpPolicy(
+        this AuthorizationOptions options,
+        string[] additionalSchemes,
+        string policyName = McpAuthenticationDefaults.AuthenticationScheme,
+        Action<AuthorizationPolicyBuilder>? configurePolicy = null)
+    {
+        if (additionalSchemes == null || additionalSchemes.Length == 0)
+        {
+            return AddMcpPolicy(options, policyName, configurePolicy);
+        }
+
+        // Create a policy builder with MCP and additional authentication schemes
+        var allSchemes = new[] { McpAuthenticationDefaults.AuthenticationScheme }.Concat(additionalSchemes).ToArray();
+        
+        var policyBuilder = new AuthorizationPolicyBuilder(allSchemes)
+            .RequireAuthenticatedUser();
+
+        // Allow additional configuration if provided
+        configurePolicy?.Invoke(policyBuilder);
+
+        // Add the configured policy
+        options.AddPolicy(policyName, policyBuilder.Build());
+
+        return options;
+    }
 }
