Proper authorization configuration

localden · localden · commit a4f249586d0a · 2025-05-02T15:02:10.000-07:00
diff --git a/samples/ProtectedMCPServer/Program.cs b/samples/ProtectedMCPServer/Program.cs
@@ -98,10 +98,7 @@
 app.UseAuthentication();
 app.UseAuthorization();
 
-// Map MCP endpoints with authorization
-// Note: The SDK will automatically map /.well-known/oauth-protected-resource 
-// and make it accessible without authorization
-app.MapMcp();
+app.MapMcp().RequireAuthorization(McpAuthenticationDefaults.AuthenticationScheme);
 
 Console.WriteLine("Starting MCP server with authorization at http://localhost:7071");
 Console.WriteLine("PRM Document URL: http://localhost:7071/.well-known/oauth-protected-resource");
diff --git a/src/ModelContextProtocol.AspNetCore/McpEndpointRouteBuilderExtensions.cs b/src/ModelContextProtocol.AspNetCore/McpEndpointRouteBuilderExtensions.cs
@@ -65,9 +65,6 @@ public static IEndpointConventionBuilder MapMcp(this IEndpointRouteBuilder endpo
                 .WithMetadata(new ProducesResponseTypeMetadata(StatusCodes.Status200OK, contentTypes: ["application/json"]))
                 .AllowAnonymous()
                 .WithDisplayName("MCP Resource Metadata");
-            
-            // Apply authorization to MCP endpoints
-            mcpGroup.RequireAuthorization(McpAuthenticationDefaults.AuthenticationScheme);
         }
 
         return mcpGroup;

Original file line number	Diff line number	Diff line change
`@@ -65,9 +65,6 @@ public static IEndpointConventionBuilder MapMcp(this IEndpointRouteBuilder endpo`
`65`	`65`	`.WithMetadata(new ProducesResponseTypeMetadata(StatusCodes.Status200OK, contentTypes: ["application/json"]))`
`66`	`66`	`.AllowAnonymous()`
`67`	`67`	`.WithDisplayName("MCP Resource Metadata");`
`68`		`-`
`69`		`- // Apply authorization to MCP endpoints`
`70`		`- mcpGroup.RequireAuthorization(McpAuthenticationDefaults.AuthenticationScheme);`
`71`	`68`	`}`
`72`	`69`
`73`	`70`	`return mcpGroup;`