Placeholder setup

Author: localden

samples/ProtectedMCPServer/Program.cs

@@ -1,11 +1,46 @@
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.Extensions.Options;
+using ModelContextProtocol.AspNetCore.Auth;
 using ModelContextProtocol.Protocol.Types;
 using System.Security.Claims;
 using System.Text.Encodings.Web;
 
 var builder = WebApplication.CreateBuilder(args);
 
+// Configure authentication to use MCP for challenges
+builder.Services.AddAuthentication(options => 
+{
+    options.DefaultScheme = "Bearer";
+    options.DefaultChallengeScheme = McpAuthenticationDefaults.AuthenticationScheme; // Use MCP for challenges
+})
+.AddScheme<AuthenticationSchemeOptions, SimpleAuthHandler>("Bearer", options => { })
+.AddMcp(options => {
+    // Configure MCP authentication options with the resource metadata URI
+    options.ResourceMetadataUri = new Uri("/.well-known/oauth-protected-resource", UriKind.Relative);
+    
+    // Configure the resource metadata using our enhanced options
+    options.ResourceMetadata.Resource = new Uri("http://localhost:7071");
+    options.ResourceMetadata.AuthorizationServers.Add(new Uri("https://login.microsoftonline.com/a2213e1c-e51e-4304-9a0d-effe57f31655/v2.0"));
+    options.ResourceMetadata.BearerMethodsSupported.Add("header");
+    options.ResourceMetadata.ScopesSupported.AddRange(["weather.read", "weather.write"]);
+    options.ResourceMetadata.ResourceDocumentation = new Uri("https://docs.example.com/api/weather");
+});
+
+// Add authorization services
+builder.Services.AddAuthorization(options =>
+{
+    options.AddPolicy(McpAuthenticationDefaults.AuthenticationScheme, policy =>
+    {
+        policy.RequireAuthenticatedUser();
+    });
+});
+
+// Don't forget to register the ResourceMetadataService
+builder.Services.AddSingleton<ResourceMetadataService>();
+
+// IMPORTANT: Register the McpAuthorizationMarker to enable authorization on MCP endpoints
+builder.Services.AddSingleton<McpAuthorizationMarker>();
+
 // Configure MCP Server
 builder.Services.AddMcpServer(options =>
 {
@@ -64,16 +99,7 @@
         }
     };
 })
-.WithHttpTransport()
-.WithAuthorization(metadata => 
-{
-    metadata.AuthorizationServers.Add(new Uri("https://login.microsoftonline.com/a2213e1c-e51e-4304-9a0d-effe57f31655/v2.0"));
-    metadata.BearerMethodsSupported.Add("header");
-    metadata.ScopesSupported.AddRange(["weather.read", "weather.write"]);
-    
-    // Add optional documentation
-    metadata.ResourceDocumentation = new Uri("https://docs.example.com/api/weather");
-});
+.WithHttpTransport();
 
 var app = builder.Build();
 
@@ -151,8 +177,6 @@ protected override Task<AuthenticateResult> HandleAuthenticateAsync()
         return Task.FromResult(AuthenticateResult.Success(ticket));
     }
 
-    protected override Task HandleChallengeAsync(AuthenticationProperties properties)
-    {
-        return base.HandleChallengeAsync(properties);
-    }
+    // The MCP authentication handler will handle challenges
+    // so we don't need to implement HandleChallengeAsync here
 }

src/ModelContextProtocol.AspNetCore/Auth/McpAuthenticationHandler.cs

@@ -51,11 +51,25 @@ protected override Task HandleChallengeAsync(AuthenticationProperties properties
         // Initialize properties if null
         properties ??= new AuthenticationProperties();
 
+        // Set up the resource URI if not already configured, using the current request as a fallback
+        if (Options.ResourceMetadata.Resource == null)
+        {
+            Options.ResourceMetadata.Resource = new Uri($"{Request.Scheme}://{Request.Host}");
+        }
+        
+        // Configure the resource metadata service with our metadata
+        _resourceMetadataService.ConfigureMetadata(metadata => {
+            metadata.Resource = Options.ResourceMetadata.Resource;
+            metadata.AuthorizationServers = Options.ResourceMetadata.AuthorizationServers;
+            metadata.BearerMethodsSupported = Options.ResourceMetadata.BearerMethodsSupported;
+            metadata.ScopesSupported = Options.ResourceMetadata.ScopesSupported;
+            metadata.ResourceDocumentation = Options.ResourceMetadata.ResourceDocumentation;
+        });
+        
         // Set the WWW-Authenticate header with the resource_metadata
         string headerValue = $"Bearer realm=\"{Scheme.Name}\"";
         headerValue += $", resource_metadata=\"{metadataUrl}\"";
 
-        // Use Headers.Append with a StringValues object
         Response.Headers["WWW-Authenticate"] = headerValue;
 
         // Store the resource_metadata in properties in case other handlers need it

src/ModelContextProtocol.AspNetCore/Auth/McpAuthenticationOptions.cs

@@ -1,4 +1,5 @@
 using Microsoft.AspNetCore.Authentication;
+using ModelContextProtocol.Auth.Types;
 
 namespace ModelContextProtocol.AspNetCore.Auth;
 
@@ -10,5 +11,17 @@ public class McpAuthenticationOptions : AuthenticationSchemeOptions
     /// <summary>
     /// The URI to the resource metadata document.
     /// </summary>
+    /// <remarks>
+    /// This URI will be included in the WWW-Authenticate header when a 401 response is returned.
+    /// </remarks>
     public Uri? ResourceMetadataUri { get; set; }
+
+    /// <summary>
+    /// Gets or sets the protected resource metadata.
+    /// </summary>
+    /// <remarks>
+    /// This contains the OAuth metadata for the protected resource, including authorization servers,
+    /// supported scopes, and other information needed for clients to authenticate.
+    /// </remarks>
+    public ProtectedResourceMetadata ResourceMetadata { get; set; } = new ProtectedResourceMetadata();
 }

src/ModelContextProtocol.AspNetCore/HttpMcpServerBuilderExtensions.cs

@@ -1,7 +1,6 @@
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using ModelContextProtocol.AspNetCore;
 using ModelContextProtocol.AspNetCore.Auth;
-using ModelContextProtocol.Auth.Types;
 using ModelContextProtocol.Server;
 
 namespace Microsoft.Extensions.DependencyInjection;
@@ -36,61 +35,4 @@ public static IMcpServerBuilder WithHttpTransport(this IMcpServerBuilder builder
 
         return builder;
     }
-    
-    /// <summary>
-    /// Adds OAuth authorization support to the MCP server.
-    /// </summary>
-    /// <param name="builder">The builder instance.</param>
-    /// <param name="configureMetadata">An action to configure the resource metadata.</param>
-    /// <param name="configureOptions">An action to configure authentication options.</param>
-    /// <returns>The builder provided in <paramref name="builder"/>.</returns>
-    /// <exception cref="ArgumentNullException"><paramref name="builder"/> is <see langword="null"/>.</exception>
-    public static IMcpServerBuilder WithAuthorization(
-        this IMcpServerBuilder builder, 
-        Action<ProtectedResourceMetadata>? configureMetadata = null,
-        Action<McpAuthenticationOptions>? configureOptions = null)
-    {
-        ArgumentNullException.ThrowIfNull(builder);
-        
-        // Create and register the resource metadata service
-        var resourceMetadataService = new ResourceMetadataService();
-        
-        // Apply configuration directly to the instance
-        if (configureMetadata != null)
-        {
-            resourceMetadataService.ConfigureMetadata(configureMetadata);
-        }
-        
-        // Register the configured instance as a singleton
-        builder.Services.AddSingleton(resourceMetadataService);
-        
-        // Mark the service as having authorization enabled
-        builder.Services.AddSingleton<McpAuthorizationMarker>();
-        
-        // Add authentication with the MCP authentication handler
-        builder.Services.AddAuthentication()
-            .AddMcp(options => 
-            {
-                // Default to the standard OAuth protected resource endpoint
-                options.ResourceMetadataUri = new Uri("/.well-known/oauth-protected-resource", UriKind.Relative);
-                
-                // Apply custom configuration if provided
-                configureOptions?.Invoke(options);
-            });
-        
-        // Add authorization services
-        builder.Services.AddAuthorization(options =>
-        {
-            options.AddPolicy("McpAuth", policy =>
-            {
-                policy.RequireAuthenticatedUser();
-            });
-        });
-        
-        // Register the middleware for automatically adding WWW-Authenticate headers
-        // Store in DI that we need to use the middleware
-        builder.Services.AddSingleton<McpAuthenticationResponseMarker>();
-        
-        return builder;
-    }
 }

src/ModelContextProtocol.AspNetCore/McpEndpointRouteBuilderExtensions.cs

@@ -67,7 +67,7 @@ public static IEndpointConventionBuilder MapMcp(this IEndpointRouteBuilder endpo
                 .WithDisplayName("MCP Resource Metadata");
 
             // Apply authorization to MCP endpoints
-            mcpGroup.RequireAuthorization("McpAuth");
+            mcpGroup.RequireAuthorization(McpAuthenticationDefaults.AuthenticationScheme);
         }
 
         return mcpGroup;