Don't hard code tenant and client IDs

- General cleanup

Author: halter73

.gitignore

@@ -80,7 +80,4 @@ docs/api
 
 # Rider
 .idea/
-.idea_modules/
-
-# Misc project metadata
-.specs/
+.idea_modules/

Directory.Packages.props

@@ -27,7 +27,7 @@
 
   <!-- Product dependencies .NET 9 -->
   <ItemGroup Condition="'$(TargetFramework)' == 'net9.0'">
-    <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="9.0.4" />
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="$(System9Version)" />
     <PackageVersion Include="Microsoft.IdentityModel.Tokens" Version="8.9.0" />
     <PackageVersion Include="Microsoft.Extensions.Hosting.Abstractions" Version="$(System9Version)" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="$(System9Version)" />

samples/ProtectedMCPClient/Program.cs

@@ -1,5 +1,6 @@
 using ModelContextProtocol.Authentication;
 using ModelContextProtocol.Client;
+using ModelContextProtocol.Protocol;
 using System.Diagnostics;
 using System.Net;
 using System.Text;
@@ -15,6 +16,7 @@ static async Task Main(string[] args)
         Console.WriteLine();
 
         var serverUrl = "http://localhost:7071/sse";
+        var clientId = Environment.GetEnvironmentVariable("CLIENT_ID") ?? throw new Exception("The CLIENT_ID environment variable is not set.");
 
         // We can customize a shared HttpClient with a custom handler if desired
         var sharedHandler = new SocketsHttpHandler
@@ -29,10 +31,10 @@ static async Task Main(string[] args)
             new Uri(serverUrl),
             httpClient,
             null, // AuthorizationHelpers will be created automatically
-            clientId: "6ad97b5f-7a7b-413f-8603-7a3517d4adb8",
+            clientId: clientId,
             clientSecret: "", // No secret needed for this client
             redirectUri: new Uri("http://localhost:1179/callback"),
-            scopes: ["api://167b4284-3f92-4436-92ed-38b38f83ae08/weather.read"],
+            scopes: [$"api://{clientId}/weather.read"],
             logger: null,
             authorizationUrlHandler: HandleAuthorizationUrlAsync
         );
@@ -75,7 +77,7 @@ static async Task Main(string[] args)
                     new Dictionary<string, object?> { { "state", "WA" } }
                 );
 
-                Console.WriteLine("Result: " + result.Content[0].Text);
+                Console.WriteLine("Result: " + ((TextContentBlock)result.Content[0]).Text);
                 Console.WriteLine();
             }
         }
@@ -102,7 +104,7 @@ static async Task Main(string[] args)
     /// <param name="authorizationUrl">The authorization URL to open in the browser.</param>
     /// <param name="redirectUri">The redirect URI where the authorization code will be sent.</param>
     /// <param name="cancellationToken">The cancellation token.</param>
-    /// <returns>The authorization code extracted from the callback, or null if the operation failed.</returns>    
+    /// <returns>The authorization code extracted from the callback, or null if the operation failed.</returns>
     private static async Task<string?> HandleAuthorizationUrlAsync(Uri authorizationUrl, Uri redirectUri, CancellationToken cancellationToken)
     {
         Console.WriteLine("Starting OAuth authorization flow...");

samples/ProtectedMCPClient/ProtectedMCPClient.csproj

@@ -8,7 +8,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <ProjectReference Include="..\..\src\ModelContextProtocol\ModelContextProtocol.csproj" />
+    <ProjectReference Include="..\..\src\ModelContextProtocol.Core\ModelContextProtocol.Core.csproj" />
   </ItemGroup>
 
 </Project>

samples/ProtectedMCPServer/Program.cs

@@ -9,7 +9,8 @@
 var builder = WebApplication.CreateBuilder(args);
 
 var serverUrl = "http://localhost:7071/";
-var tenantId = "a2213e1c-e51e-4304-9a0d-effe57f31655";
+var tenantId = builder.Configuration["TenantId"];
+var clientId = builder.Configuration["ClientId"];
 var instance = "https://login.microsoftonline.com/";
 
 builder.Services.AddAuthentication(options =>
@@ -26,7 +27,7 @@
         ValidateAudience = true,
         ValidateLifetime = true,
         ValidateIssuerSigningKey = true,
-        ValidAudience = "167b4284-3f92-4436-92ed-38b38f83ae08",
+        ValidAudience = clientId,
         ValidIssuer = $"{instance}{tenantId}/v2.0",
         NameClaimType = "name",
         RoleClaimType = "roles"
@@ -57,7 +58,7 @@
 })
 .AddMcp(options =>
 {
-    options.ProtectedResourceMetadataProvider = context => 
+    options.ProtectedResourceMetadataProvider = context =>
     {
         var metadata = new ProtectedResourceMetadata
         {
@@ -68,9 +69,9 @@
         };
 
         metadata.ScopesSupported.AddRange([
-            "api://167b4284-3f92-4436-92ed-38b38f83ae08/weather.read" 
+            $"api://{clientId}/weather.read"
         ]);
-        
+
         return metadata;
     };
 });
@@ -79,8 +80,8 @@
 
 builder.Services.AddHttpContextAccessor();
 builder.Services.AddMcpServer()
-.WithTools<WeatherTools>()
-.WithHttpTransport();
+    .WithTools<WeatherTools>()
+    .WithHttpTransport();
 
 // Configure HttpClientFactory for weather.gov API
 builder.Services.AddHttpClient("WeatherApi", client =>

samples/ProtectedMCPServer/ProtectedMCPServer.csproj

@@ -1,9 +1,10 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
     <TargetFramework>net9.0</TargetFramework>
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
+    <UserSecretsId>783daef3-9c45-408d-a1d3-7caf44724f39</UserSecretsId>
   </PropertyGroup>
 
   <ItemGroup>

src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationEvents.cs

@@ -1,9 +1,8 @@
-namespace ModelContextProtocol.AspNetCore.Authentication
+namespace ModelContextProtocol.AspNetCore.Authentication;
+
+/// <summary>
+/// Represents the authentication events for Model Context Protocol.
+/// </summary>
+public class McpAuthenticationEvents
 {
-    /// <summary>
-    /// Represents the authentication events for Model Context Protocol.
-    /// </summary>
-    public class McpAuthenticationEvents
-    {
-    }
 }

src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationExtensions.cs

@@ -19,9 +19,9 @@ public static AuthenticationBuilder AddMcp(
         Action<McpAuthenticationOptions>? configureOptions = null)
     {
         return AddMcp(
-            builder, 
-            McpAuthenticationDefaults.AuthenticationScheme, 
-            McpAuthenticationDefaults.DisplayName, 
+            builder,
+            McpAuthenticationDefaults.AuthenticationScheme,
+            McpAuthenticationDefaults.DisplayName,
             configureOptions);
     }
 

src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationHandler.cs

@@ -33,7 +33,7 @@ public async Task<bool> HandleRequestAsync()
     {
         // Check if the request is for the resource metadata endpoint
         string requestPath = Request.Path.Value ?? string.Empty;
-        
+
         string expectedMetadataPath = this.Options.ResourceMetadataUri?.ToString() ?? string.Empty;
         if (this.Options.ResourceMetadataUri != null && !this.Options.ResourceMetadataUri.IsAbsoluteUri)
         {
@@ -64,14 +64,14 @@ private string GetAbsoluteResourceMetadataUri()
     {
         var options = this.Options;
         var resourceMetadataUri = options.ResourceMetadataUri;
-        
+
         string currentPath = resourceMetadataUri?.ToString() ?? string.Empty;
-        
+
         if (resourceMetadataUri != null && resourceMetadataUri.IsAbsoluteUri)
         {
             return currentPath;
         }
-        
+
         // For relative URIs, combine with the base URL
         string baseUrl = GetBaseUrl();
         string relativePath = resourceMetadataUri?.OriginalString.TrimStart('/') ?? string.Empty;
@@ -80,7 +80,7 @@ private string GetAbsoluteResourceMetadataUri()
         {
             throw new InvalidOperationException($"Could not create absolute URI for resource metadata. Base URL: {baseUrl}, Relative Path: {relativePath}");
         }
-        
+
         return absoluteUri.ToString();
     }
 
@@ -92,7 +92,7 @@ private Task HandleResourceMetadataRequestAsync(CancellationToken cancellationTo
     {
         var options = this.Options;
         var resourceMetadata = options.GetResourceMetadata(Request.HttpContext);
-        
+
         // Create a copy to avoid modifying the original
         var metadata = new ProtectedResourceMetadata
         {
@@ -102,22 +102,22 @@ private Task HandleResourceMetadataRequestAsync(CancellationToken cancellationTo
             ScopesSupported = [.. resourceMetadata.ScopesSupported],
             ResourceDocumentation = resourceMetadata.ResourceDocumentation
         };
-        
+
         Response.StatusCode = StatusCodes.Status200OK;
         Response.ContentType = "application/json";
-        
+
         var json = JsonSerializer.Serialize(
-            metadata, 
+            metadata,
             McpJsonUtilities.DefaultOptions.GetTypeInfo(typeof(ProtectedResourceMetadata)));
-        
+
         return Response.WriteAsync(json, cancellationToken);
     }
 
     /// <inheritdoc />
     protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
     {
         // If ForwardAuthenticate is set, forward the authentication to the specified scheme
-        if (!string.IsNullOrEmpty(Options.ForwardAuthenticate) && 
+        if (!string.IsNullOrEmpty(Options.ForwardAuthenticate) &&
             Options.ForwardAuthenticate != Scheme.Name)
         {
             // Simply forward the authentication request to the specified scheme and return its result
@@ -136,14 +136,14 @@ protected override Task HandleChallengeAsync(AuthenticationProperties properties
         string rawPrmDocumentUri = GetAbsoluteResourceMetadataUri();
 
         properties ??= new AuthenticationProperties();
-        
+
         // Store the resource_metadata in properties in case other handlers need it
         properties.Items["resource_metadata"] = rawPrmDocumentUri;
-        
+
         // Add the WWW-Authenticate header with Bearer scheme and resource metadata
         string headerValue = $"Bearer realm=\"{Scheme.Name}\", resource_metadata=\"{rawPrmDocumentUri}\"";
         Response.Headers.Append("WWW-Authenticate", headerValue);
-        
+
         return base.HandleChallengeAsync(properties);
     }
 }

src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationOptions.cs

@@ -9,18 +9,19 @@ namespace ModelContextProtocol.AspNetCore.Authentication;
 /// </summary>
 public class McpAuthenticationOptions : AuthenticationSchemeOptions
 {
-    private static readonly Uri DefaultResourceMetadataUri = new("/.well-known/oauth-protected-resource", UriKind.Relative);   
-   
+    private static readonly Uri DefaultResourceMetadataUri = new("/.well-known/oauth-protected-resource", UriKind.Relative);
+
     private Func<HttpContext, ProtectedResourceMetadata>? _resourceMetadataProvider;
 
-    private ProtectedResourceMetadata? _resourceMetadata;    
-    
+    private ProtectedResourceMetadata? _resourceMetadata;
+
     /// <summary>
     /// Initializes a new instance of the <see cref="McpAuthenticationOptions"/> class.
     /// </summary>
     public McpAuthenticationOptions()
     {
-        base.ForwardAuthenticate = "Bearer";
+        // "Bearer" is JwtBearerDefaults.AuthenticationScheme, but we don't have a reference to the JwtBearer package here.
+        ForwardAuthenticate = "Bearer";
         ResourceMetadataUri = DefaultResourceMetadataUri;
         Events = new McpAuthenticationEvents();
     }
@@ -40,15 +41,15 @@ public McpAuthenticationOptions()
     /// <remarks>
     /// This URI will be included in the WWW-Authenticate header when a 401 response is returned.
     /// </remarks>
-    public Uri ResourceMetadataUri { get; set; }    
-    
+    public Uri ResourceMetadataUri { get; set; }
+
     /// <summary>
     /// Gets or sets the static protected resource metadata.
     /// </summary>
     /// <remarks>
     /// This contains the OAuth metadata for the protected resource, including authorization servers,
     /// supported scopes, and other information needed for clients to authenticate.
-    /// Setting this property will automatically update the <see cref="ProtectedResourceMetadataProvider"/> 
+    /// Setting this property will automatically update the <see cref="ProtectedResourceMetadataProvider"/>
     /// to return this static instance.
     /// </remarks>
     /// <exception cref="ArgumentNullException">Thrown when trying to set a null value.</exception>
@@ -64,13 +65,13 @@ public ProtectedResourceMetadata ResourceMetadata
             {
                 throw new ArgumentException("The Resource property of the metadata cannot be null. A valid resource URI is required.", nameof(value));
             }
-            
+
             _resourceMetadata = value;
             // When static metadata is set, update the provider to use it
             _resourceMetadataProvider = _ => _resourceMetadata;
         }
-    }    
-    
+    }
+
     /// <summary>
     /// Gets or sets a delegate that dynamically provides resource metadata based on the HTTP context.
     /// </summary>
@@ -84,7 +85,7 @@ public Func<HttpContext, ProtectedResourceMetadata>? ProtectedResourceMetadataPr
         get => _resourceMetadataProvider;
         set => _resourceMetadataProvider = value;
     }
-    
+
     /// <summary>
     /// Gets the resource metadata for the current request.
     /// </summary>
@@ -94,7 +95,7 @@ public Func<HttpContext, ProtectedResourceMetadata>? ProtectedResourceMetadataPr
     internal ProtectedResourceMetadata GetResourceMetadata(HttpContext context)
     {
         var provider = _resourceMetadataProvider;
-        
+
         return provider != null
             ? provider(context)
             : _resourceMetadata ?? throw new InvalidOperationException(