Update based on feedback

Author: localden

samples/SecureWeatherServer/Program.cs

@@ -70,13 +70,14 @@
 .WithAuthorization(metadata => 
 {
     metadata.AuthorizationServers.Add(new Uri("https://login.microsoftonline.com/a2213e1c-e51e-4304-9a0d-effe57f31655/v2.0"));
-    metadata.ScopesSupported.AddRange(["weather.read", "weather.write"]);
     metadata.BearerMethodsSupported.Add("header");
+    metadata.ScopesSupported.AddRange(["weather.read", "weather.write"]);
+    
+    // Add optional documentation
     metadata.ResourceDocumentation = new Uri("https://docs.example.com/api/weather");
 });
 
 // Configure authentication using the built-in authentication system
-// Register "Bearer" scheme with our SimpleAuthHandler and set it as the default scheme
 builder.Services.AddAuthentication(options => 
 {
     options.DefaultScheme = "Bearer";
@@ -96,8 +97,8 @@
 
 var app = builder.Build();
 
-// Set up the middleware pipeline
 app.UseAuthentication();
+app.UseMcpAuthenticationResponse();
 app.UseAuthorization();
 
 // Map MCP endpoints with authorization
@@ -123,17 +124,12 @@
 // In a real app, you'd use a JWT handler or other proper authentication
 class SimpleAuthHandler : AuthenticationHandler<AuthenticationSchemeOptions>
 {
-    // Directly inject the ResourceMetadataService instead of the options
-    private readonly ResourceMetadataService _resourceMetadataService;
-
     public SimpleAuthHandler(
         IOptionsMonitor<AuthenticationSchemeOptions> options,
         ILoggerFactory logger,
-        UrlEncoder encoder,
-        ResourceMetadataService resourceMetadataService) 
+        UrlEncoder encoder) 
         : base(options, logger, encoder)
     {
-        _resourceMetadataService = resourceMetadataService;
     }
 
     protected override Task<AuthenticateResult> HandleAuthenticateAsync()
@@ -176,16 +172,8 @@ protected override Task<AuthenticateResult> HandleAuthenticateAsync()
 
     protected override Task HandleChallengeAsync(AuthenticationProperties properties)
     {
-        // Always include the resource_metadata in the WWW-Authenticate header
-        var baseUrl = $"{Request.Scheme}://{Request.Host}";
-        var metadataUrl = $"{baseUrl}/.well-known/oauth-protected-resource";
-            
-        // Add WWW-Authenticate header with resource_metadata
-        Response.Headers.WWWAuthenticate = $"Bearer resource_metadata=\"{metadataUrl}\"";
-        
-        // Set 401 status code
+        // No need to manually set WWW-Authenticate header anymore - handled by middleware
         Response.StatusCode = 401;
-        
         return Task.CompletedTask;
     }
 }

src/ModelContextProtocol.AspNetCore/Auth/McpAuthenticationResponseMiddleware.cs

@@ -0,0 +1,57 @@
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Http;
+using ModelContextProtocol.Auth;
+
+namespace ModelContextProtocol.AspNetCore.Auth;
+
+/// <summary>
+/// Middleware that attaches WWW-Authenticate headers with resource metadata to 401 responses.
+/// </summary>
+public class McpAuthenticationResponseMiddleware
+{
+    private readonly RequestDelegate _next;
+    private readonly ResourceMetadataService _resourceMetadataService;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="McpAuthenticationResponseMiddleware"/> class.
+    /// </summary>
+    /// <param name="next">The next request delegate in the pipeline.</param>
+    /// <param name="resourceMetadataService">The resource metadata service.</param>
+    public McpAuthenticationResponseMiddleware(RequestDelegate next, ResourceMetadataService resourceMetadataService)
+    {
+        _next = next;
+        _resourceMetadataService = resourceMetadataService;
+    }
+
+    /// <summary>
+    /// Processes the request and adds WWW-Authenticate headers to 401 responses.
+    /// </summary>
+    /// <param name="context">The HTTP context.</param>
+    /// <returns>A task representing the asynchronous operation.</returns>
+    public async Task InvokeAsync(HttpContext context)
+    {
+        // Add a callback to the OnStarting event which fires before the response headers are sent
+        context.Response.OnStarting(() =>
+        {
+            // Check if the response is a 401 Unauthorized
+            if (context.Response.StatusCode == StatusCodes.Status401Unauthorized)
+            {
+                // Get the base URL of the request
+                var baseUrl = $"{context.Request.Scheme}://{context.Request.Host}";
+                var metadataPath = "/.well-known/oauth-protected-resource";
+                var metadataUrl = $"{baseUrl}{metadataPath}";
+
+                // Add or update the WWW-Authenticate header
+                if (!context.Response.Headers.ContainsKey("WWW-Authenticate") ||
+                    !context.Response.Headers["WWW-Authenticate"].ToString().Contains("resource_metadata"))
+                {
+                    context.Response.Headers.WWWAuthenticate = $"Bearer resource_metadata=\"{metadataUrl}\"";
+                }
+            }
+            return Task.CompletedTask;
+        });
+
+        // Call the next delegate/middleware in the pipeline
+        await _next(context);
+    }
+}

src/ModelContextProtocol.AspNetCore/Auth/McpAuthenticationResponseMiddlewareExtensions.cs

@@ -0,0 +1,19 @@
+using Microsoft.AspNetCore.Builder;
+
+namespace ModelContextProtocol.AspNetCore.Auth;
+
+/// <summary>
+/// Extension methods for the McpAuthenticationResponseMiddleware.
+/// </summary>
+public static class McpAuthenticationResponseMiddlewareExtensions
+{
+    /// <summary>
+    /// Adds the MCP authentication response middleware to the application pipeline.
+    /// </summary>
+    /// <param name="builder">The application builder.</param>
+    /// <returns>The application builder for chaining.</returns>
+    public static IApplicationBuilder UseWwwAuthenticateHeaderMiddleware(this IApplicationBuilder builder)
+    {
+        return builder.UseMiddleware<McpAuthenticationResponseMiddleware>();
+    }
+}

src/ModelContextProtocol.AspNetCore/Auth/McpWebApplicationExtensions.cs

@@ -0,0 +1,31 @@
+using Microsoft.AspNetCore.Builder;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace ModelContextProtocol.AspNetCore.Auth;
+
+/// <summary>
+/// Extension methods for WebApplication to add MCP-specific middleware.
+/// </summary>
+public static class McpWebApplicationExtensions
+{
+    /// <summary>
+    /// Adds the MCP authentication response middleware to the application pipeline.
+    /// This middleware automatically adds the resource_metadata field to WWW-Authenticate headers in 401 responses.
+    /// </summary>
+    /// <remarks>
+    /// This middleware should be registered AFTER UseAuthentication() but BEFORE UseAuthorization().
+    /// </remarks>
+    /// <param name="app">The web application.</param>
+    /// <returns>The web application for chaining.</returns>
+    public static IApplicationBuilder UseMcpAuthenticationResponse(this IApplicationBuilder app)
+    {
+        if (app.ApplicationServices.GetService<McpAuthenticationResponseMarker>() == null)
+        {
+            throw new InvalidOperationException(
+                "McpAuthenticationResponseMarker service is not registered. " +
+                "Make sure you call AddMcpServer().WithAuthorization() first.");
+        }
+        
+        return app.UseMiddleware<McpAuthenticationResponseMiddleware>();
+    }
+}

src/ModelContextProtocol.AspNetCore/HttpMcpServerBuilderExtensions.cs

@@ -87,6 +87,10 @@ public static IMcpServerBuilder WithAuthorization(
             });
         });
 
+        // Register the middleware for automatically adding WWW-Authenticate headers
+        // Store in DI that we need to use the middleware
+        builder.Services.AddSingleton<McpAuthenticationResponseMarker>();
+        
         return builder;
     }
 }
@@ -95,3 +99,8 @@ public static IMcpServerBuilder WithAuthorization(
 /// Marker class to indicate that MCP authorization has been configured.
 /// </summary>
 internal class McpAuthorizationMarker { }
+
+/// <summary>
+/// Marker class to indicate that MCP authentication response middleware should be used.
+/// </summary>
+internal class McpAuthenticationResponseMarker { }

src/ModelContextProtocol.AspNetCore/McpEndpointRouteBuilderExtensions.cs

@@ -56,6 +56,18 @@ public static IEndpointConventionBuilder MapMcp(this IEndpointRouteBuilder endpo
         var authMarker = endpoints.ServiceProvider.GetService<McpAuthorizationMarker>();
         if (authMarker != null)
         {
+            // Check if the authentication response middleware is configured
+            var authResponseMarker = endpoints.ServiceProvider.GetService<McpAuthenticationResponseMarker>();
+            if (authResponseMarker != null)
+            {
+                // Register the middleware to automatically add WWW-Authenticate headers to 401 responses
+                // We need to add this middleware to the parent app, not just the endpoint group
+                if (endpoints is IApplicationBuilder app)
+                {
+                    app.UseWwwAuthenticateHeaderMiddleware();
+                }
+            }
+
             // Authorization is configured, so automatically map the OAuth protected resource endpoint
             var resourceMetadataService = endpoints.ServiceProvider.GetRequiredService<ResourceMetadataService>();