Simplify the handling of the WWW-Authenticate implementaiton

Author: localden

samples/ProtectedMCPServer/Program.cs

@@ -76,23 +76,23 @@
     metadata.ResourceDocumentation = new Uri("https://docs.example.com/api/weather");
 });
 
-// Configure authentication using the built-in authentication system
-builder.Services.AddAuthentication(options => 
-{
-    options.DefaultScheme = "Bearer";
-    options.DefaultChallengeScheme = "Bearer"; // Ensure challenges use Bearer scheme
-})
-.AddScheme<AuthenticationSchemeOptions, SimpleAuthHandler>("Bearer", options => { });
-
-// Add authorization policy for MCP
-builder.Services.AddAuthorization(options =>
-{
-    options.AddPolicy("McpAuth", policy =>
-    {
-        policy.RequireAuthenticatedUser();
-        policy.RequireClaim("scope", "weather.read");
-    });
-});
+// // Configure authentication using the built-in authentication system
+// builder.Services.AddAuthentication(options => 
+// {
+//     options.DefaultScheme = "Bearer";
+//     options.DefaultChallengeScheme = "Bearer"; // Ensure challenges use Bearer scheme
+// })
+// .AddScheme<AuthenticationSchemeOptions, SimpleAuthHandler>("Bearer", options => { });
+
+//// Add authorization policy for MCP
+//builder.Services.AddAuthorization(options =>
+//{
+//    options.AddPolicy("McpAuth", policy =>
+//    {
+//        policy.RequireAuthenticatedUser();
+//        policy.RequireClaim("scope", "weather.read");
+//    });
+//});
 
 var app = builder.Build();
 
@@ -173,8 +173,6 @@ protected override Task<AuthenticateResult> HandleAuthenticateAsync()
 
     protected override Task HandleChallengeAsync(AuthenticationProperties properties)
     {
-        // No need to manually set WWW-Authenticate header anymore - handled by middleware
-        Response.StatusCode = 401;
-        return Task.CompletedTask;
+        return base.HandleChallengeAsync(properties);
     }
 }

src/ModelContextProtocol.AspNetCore/Auth/McpAuthenticationHandler.cs

@@ -1,7 +1,9 @@
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using System;
 using System.Text.Encodings.Web;
+using System.Threading.Tasks;
 
 namespace ModelContextProtocol.AspNetCore.Auth;
 
@@ -10,15 +12,19 @@ namespace ModelContextProtocol.AspNetCore.Auth;
 /// </summary>
 public class McpAuthenticationHandler : AuthenticationHandler<McpAuthenticationOptions>
 {
+    private readonly ResourceMetadataService _resourceMetadataService;
+
     /// <summary>
     /// Initializes a new instance of the <see cref="McpAuthenticationHandler"/> class.
     /// </summary>
     public McpAuthenticationHandler(
         IOptionsMonitor<McpAuthenticationOptions> options,
         ILoggerFactory logger,
-        UrlEncoder encoder)
+        UrlEncoder encoder,
+        ResourceMetadataService resourceMetadataService)
         : base(options, logger, encoder)
     {
+        _resourceMetadataService = resourceMetadataService;
     }
 
     /// <inheritdoc />
@@ -32,12 +38,30 @@ protected override Task<AuthenticateResult> HandleAuthenticateAsync()
     /// <inheritdoc />
     protected override Task HandleChallengeAsync(AuthenticationProperties properties)
     {
-        if (Options.ResourceMetadataUri != null)
-        {
-            Response.Headers.WWWAuthenticate = $"Bearer resource_metadata=\"{Options.ResourceMetadataUri}\"";
-        }
+        // Set the response status code
+        Response.StatusCode = 401; // Unauthorized
+
+        // Generate the full resource metadata URL based on the current request
+        var baseUrl = $"{Request.Scheme}://{Request.Host}";
+        var metadataPath = Options.ResourceMetadataUri?.ToString() ?? "/.well-known/oauth-protected-resource";
+        var metadataUrl = metadataPath.StartsWith("http", StringComparison.OrdinalIgnoreCase)
+            ? metadataPath
+            : $"{baseUrl}{metadataPath}";
+
+        // Initialize properties if null
+        properties ??= new AuthenticationProperties();
+        
+        // Set the WWW-Authenticate header with the resource_metadata
+        string headerValue = $"Bearer realm=\"{Scheme.Name}\"";
+        headerValue += $", resource_metadata=\"{metadataUrl}\"";
+        
+        // Use Headers.Append with a StringValues object
+        Response.Headers["WWW-Authenticate"] = headerValue;
+        
+        // Store the resource_metadata in properties in case other handlers need it
+        properties.Items["resource_metadata"] = metadataUrl;
 
-        return Task.CompletedTask;
+        return base.HandleChallengeAsync(properties);
     }
 }
 

src/ModelContextProtocol.AspNetCore/Auth/McpAuthenticationResponseMiddleware.cs

@@ -9,11 +9,13 @@ namespace ModelContextProtocol.AspNetCore.Auth;
 public static class McpWebApplicationExtensions
 {
     /// <summary>
-    /// Adds the MCP authentication response middleware to the application pipeline.
-    /// This middleware automatically adds the resource_metadata field to WWW-Authenticate headers in 401 responses.
+    /// This method maintains compatibility with existing code that calls UseMcpAuthenticationResponse.
+    /// The actual middleware functionality is now handled by the McpAuthenticationHandler as part of
+    /// the standard ASP.NET Core authentication pipeline.
     /// </summary>
     /// <remarks>
-    /// This middleware should be registered AFTER UseAuthentication() but BEFORE UseAuthorization().
+    /// While this method is still required for backward compatibility, its functionality
+    /// is now fully implemented by the McpAuthenticationHandler.
     /// </remarks>
     /// <param name="app">The web application.</param>
     /// <returns>The web application for chaining.</returns>
@@ -26,6 +28,8 @@ public static IApplicationBuilder UseMcpAuthenticationResponse(this IApplication
                 "Make sure you call AddMcpServer().WithAuthorization() first.");
         }
 
-        return app.UseMiddleware<McpAuthenticationResponseMiddleware>();
+        // Return the app directly without adding middleware, as the functionality
+        // is now provided by the McpAuthenticationHandler
+        return app;
     }
 }

src/ModelContextProtocol.AspNetCore/Auth/McpAuthenticationResponseMiddlewareExtensions.cs

@@ -55,18 +55,6 @@ public static IEndpointConventionBuilder MapMcp(this IEndpointRouteBuilder endpo
         var authMarker = endpoints.ServiceProvider.GetService<McpAuthorizationMarker>();
         if (authMarker != null)
         {
-            // Check if the authentication response middleware is configured
-            var authResponseMarker = endpoints.ServiceProvider.GetService<McpAuthenticationResponseMarker>();
-            if (authResponseMarker != null)
-            {
-                // Register the middleware to automatically add WWW-Authenticate headers to 401 responses
-                // We need to add this middleware to the parent app, not just the endpoint group
-                if (endpoints is IApplicationBuilder app)
-                {
-                    app.UseWwwAuthenticateHeaderMiddleware();
-                }
-            }
-
             // Authorization is configured, so automatically map the OAuth protected resource endpoint
             var resourceMetadataService = endpoints.ServiceProvider.GetRequiredService<ResourceMetadataService>();