Updating the approach for client auth

Author: localden

samples/ProtectedMCPClient/Program.cs

@@ -1,38 +1,30 @@
+using ModelContextProtocol.Authentication;
 using ModelContextProtocol.Client;
 using ModelContextProtocol.Protocol.Transport;
+using System.Diagnostics;
 
 namespace ProtectedMCPClient;
 
 class Program
 {
     static async Task Main(string[] args)
     {
-        Console.WriteLine("MCP Secure Weather Client with OAuth Authentication");
-        Console.WriteLine("==================================================");
+        Console.WriteLine("MCP Secure Weather Client with Authentication");
+        Console.WriteLine("==============================================");
         Console.WriteLine();
 
-        //// Create the authorization config with HTTP listener
-        //var authConfig = new AuthorizationConfig
-        //{
-        //    ClientId = "6ad97b5f-7a7b-413f-8603-7a3517d4adb8",
-        //    Scopes = ["api://167b4284-3f92-4436-92ed-38b38f83ae08/weather.read"]
-        //}.UseHttpListener(hostname: "localhost", listenPort: 1170);
-
-        //// Create an HTTP client with OAuth handling
-        //var oauthHandler = new OAuthDelegatingHandler(
-        //    redirectUri: authConfig.RedirectUri,
-        //    clientId: authConfig.ClientId,
-        //    clientName: authConfig.ClientName,
-        //    scopes: authConfig.Scopes,
-        //    authorizationHandler: authConfig.AuthorizationHandler)
-        //{
-        //    // The OAuth handler needs an inner handler
-        //    InnerHandler = new HttpClientHandler()
-        //};
-
-        var httpClient = new HttpClient();
+        // Create a standard HttpClient with authentication configured
         var serverUrl = "http://localhost:7071/sse"; // Default server URL
 
+        // Ask for the API key
+        Console.WriteLine("Enter your API key (or press Enter to use default):");
+        var apiKey = Console.ReadLine();
+        if (string.IsNullOrWhiteSpace(apiKey))
+        {
+            apiKey = "demo-api-key-12345"; // Default API key for demonstration
+            Console.WriteLine($"Using default API key: {apiKey}");
+        }
+
         // Allow the user to specify a different server URL
         Console.WriteLine($"Server URL (press Enter for default: {serverUrl}):");
         var userInput = Console.ReadLine();
@@ -41,10 +33,14 @@ static async Task Main(string[] args)
             serverUrl = userInput;
         }
 
+        // Create a single HttpClient with authentication configured
+        var tokenProvider = new SimpleAccessTokenProvider(apiKey, new Uri(serverUrl));
+        var httpClient = new HttpClient().UseAuthenticationProvider(tokenProvider);
+
         Console.WriteLine();
         Console.WriteLine($"Connecting to weather server at {serverUrl}...");
-        Console.WriteLine("When prompted for authorization, a browser window will open automatically.");
-        Console.WriteLine("Complete the authentication in the browser, and this application will continue automatically.");
+        Console.WriteLine("When prompted for authorization, the challenge will be verified automatically.");
+        Console.WriteLine("If required, you'll be guided through any necessary authentication steps.");
         Console.WriteLine();
 
         try
@@ -82,13 +78,27 @@ static async Task Main(string[] args)
                 Console.WriteLine();
             }
         }
+        catch (HttpRequestException ex) when (ex.StatusCode == System.Net.HttpStatusCode.Unauthorized)
+        {
+            // Handle authentication failures specifically
+            Console.WriteLine("Authentication failed. The server returned a 401 Unauthorized response.");
+            Console.WriteLine($"Details: {ex.Message}");
+            
+            // Additional handling for 401 - could add manual authentication retry here
+            Console.WriteLine("You might need to provide a different API key or authentication credentials.");
+        }
         catch (Exception ex)
         {
             Console.WriteLine($"Error: {ex.Message}");
             if (ex.InnerException != null)
             {
                 Console.WriteLine($"Inner error: {ex.InnerException.Message}");
             }
+            
+            // Print stack trace in debug builds
+            #if DEBUG
+            Console.WriteLine($"Stack trace: {ex.StackTrace}");
+            #endif
         }
 
         Console.WriteLine("Press any key to exit...");

samples/ProtectedMCPClient/SimpleAccessTokenProvider.cs

@@ -0,0 +1,84 @@
+using ModelContextProtocol.Authentication;
+using System.Collections.Concurrent;
+
+namespace ProtectedMCPClient;
+
+/// <summary>
+/// A simple implementation of IAccessTokenProvider that uses a fixed API key.
+/// This is just for demonstration purposes.
+/// </summary>
+public class SimpleAccessTokenProvider : IAccessTokenProvider
+{
+    private readonly string _apiKey;
+    private readonly ConcurrentDictionary<string, string> _tokenCache = new();
+    private readonly Uri _serverUrl;
+
+    public SimpleAccessTokenProvider(string apiKey, Uri serverUrl)
+    {
+        _apiKey = apiKey ?? throw new ArgumentNullException(nameof(apiKey));
+        _serverUrl = serverUrl ?? throw new ArgumentNullException(nameof(serverUrl));
+    }
+
+    /// <inheritdoc />
+    public Task<string?> GetAuthenticationTokenAsync(Uri resourceUri, CancellationToken cancellationToken = default)
+    {
+        // In a real implementation, you might use different tokens for different resources,
+        // or refresh tokens when they're about to expire
+        return Task.FromResult<string?>(_apiKey);
+    }
+
+    /// <inheritdoc />
+    public async Task<bool> HandleUnauthorizedResponseAsync(HttpResponseMessage response, CancellationToken cancellationToken = default)
+    {
+        try
+        {
+            // Use the updated AuthenticationChallengeHandler to handle the 401 challenge
+            var resourceMetadata = await AuthenticationUtils.HandleAuthenticationChallengeAsync(
+                response,
+                _serverUrl,
+                cancellationToken);
+            
+            // If we get here, the resource metadata is valid and matches our server
+            Console.WriteLine($"Successfully validated resource metadata for: {resourceMetadata.Resource}");
+            
+            // For a real implementation, you would:
+            // 1. Use the metadata to get information about the authorization servers
+            // 2. Obtain a new token from one of those authorization servers
+            // 3. Store the new token for future requests
+            
+            // Example of what a real implementation might do:
+            /*
+            if (resourceMetadata.AuthorizationServers?.Count > 0) 
+            {
+                var authServerUrl = resourceMetadata.AuthorizationServers[0];
+                var authServerMetadata = await AuthenticationUtils.FetchAuthorizationServerMetadataAsync(
+                    authServerUrl, cancellationToken);
+                
+                if (authServerMetadata != null)
+                {
+                    // Use auth server metadata to obtain a new token
+                    // Store the token in _tokenCache
+                    // Return true to indicate the unauthorized response was handled
+                    return true;
+                }
+            }
+            */
+            
+            // For now, we still return false since we're not actually refreshing the token
+            Console.WriteLine("API key is valid, but might not have sufficient permissions.");
+            return false;
+        }
+        catch (InvalidOperationException ex)
+        {
+            // Log the specific error about why the challenge handling failed
+            Console.WriteLine($"Authentication challenge failed: {ex.Message}");
+            return false;
+        }
+        catch (Exception ex)
+        {
+            // Log any unexpected errors
+            Console.WriteLine($"Unexpected error during authentication challenge: {ex.Message}");
+            return false;
+        }
+    }
+}

src/ModelContextProtocol/Authentication/AuthenticationDelegatingHandler.cs

@@ -0,0 +1,119 @@
+using System.Net.Http;
+using System.Net.Http.Headers;
+
+namespace ModelContextProtocol.Authentication;
+
+/// <summary>
+/// A delegating handler that adds authentication tokens to requests and handles 401 responses.
+/// </summary>
+internal class AuthenticationDelegatingHandler : DelegatingHandler
+{
+    private readonly IAccessTokenProvider _tokenProvider;
+    private readonly string _scheme;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="AuthenticationDelegatingHandler"/> class.
+    /// </summary>
+    /// <param name="tokenProvider">The provider that supplies authentication tokens.</param>
+    /// <param name="scheme">The authentication scheme to use, e.g., "Bearer".</param>
+    public AuthenticationDelegatingHandler(IAccessTokenProvider tokenProvider, string scheme)
+    {
+        _tokenProvider = tokenProvider ?? throw new ArgumentNullException(nameof(tokenProvider));
+        _scheme = scheme ?? throw new ArgumentNullException(nameof(scheme));
+    }
+
+    /// <summary>
+    /// Sends an HTTP request with authentication handling.
+    /// </summary>
+    protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
+    {
+        // Add the authentication token to the request if not already present
+        if (request.Headers.Authorization == null)
+        {
+            await AddAuthenticationHeaderAsync(request, cancellationToken);
+        }
+
+        // Send the request through the inner handler
+        var response = await base.SendAsync(request, cancellationToken);
+
+        // Handle unauthorized responses
+        if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized)
+        {
+            // Try to handle the unauthorized response
+            var handled = await _tokenProvider.HandleUnauthorizedResponseAsync(
+                response,
+                cancellationToken);
+
+            if (handled)
+            {
+                // If the unauthorized response was handled, retry the request
+                var retryRequest = await CloneHttpRequestMessageAsync(request);
+
+                // Get a new token
+                await AddAuthenticationHeaderAsync(retryRequest, cancellationToken);
+
+                // Send the retry request
+                return await base.SendAsync(retryRequest, cancellationToken);
+            }
+        }
+
+        return response;
+    }
+
+    /// <summary>
+    /// Adds an authorization header to the request.
+    /// </summary>
+    private async Task AddAuthenticationHeaderAsync(HttpRequestMessage request, CancellationToken cancellationToken)
+    {
+        if (request.RequestUri != null)
+        {
+            var token = await _tokenProvider.GetAuthenticationTokenAsync(request.RequestUri, cancellationToken);
+            if (!string.IsNullOrEmpty(token))
+            {
+                request.Headers.Authorization = new AuthenticationHeaderValue(_scheme, token);
+            }
+        }
+    }
+
+    /// <summary>
+    /// Creates a clone of the HTTP request message.
+    /// </summary>
+    private static async Task<HttpRequestMessage> CloneHttpRequestMessageAsync(HttpRequestMessage request)
+    {
+        var clone = new HttpRequestMessage(request.Method, request.RequestUri);
+
+        // Copy the request headers
+        foreach (var header in request.Headers)
+        {
+            clone.Headers.TryAddWithoutValidation(header.Key, header.Value);
+        }
+
+        // Copy the request content if present
+        if (request.Content != null)
+        {
+            var contentBytes = await request.Content.ReadAsByteArrayAsync();
+            var cloneContent = new ByteArrayContent(contentBytes);
+
+            // Copy the content headers
+            foreach (var header in request.Content.Headers)
+            {
+                cloneContent.Headers.TryAddWithoutValidation(header.Key, header.Value);
+            }
+
+            clone.Content = cloneContent;
+        }
+
+        // Copy the request properties
+#pragma warning disable CS0618 // Type or member is obsolete
+        foreach (var property in request.Properties)
+        {
+            clone.Properties.Add(property);
+        }
+#pragma warning restore CS0618 // Type or member is obsolete
+
+        // Copy the request version
+        clone.Version = request.Version;
+
+        return clone;
+    }
+}