Multiple scheme support

Author: localden

samples/ProtectedMCPClient/BasicOAuthAuthorizationProvider.cs

@@ -30,38 +30,35 @@ public class BasicOAuthAuthorizationProvider(
     private readonly HttpClient _httpClient = new();
 
     private TokenContainer? _token;
-
     private AuthorizationServerMetadata? _authServerMetadata;
 
-    public string AuthorizationScheme => "Bearer";
+    /// <inheritdoc />
+    public IEnumerable<string> SupportedSchemes => new[] { "DPoP" };
 
     /// <inheritdoc />
-    public async Task<string?> GetCredentialAsync(Uri resourceUri, CancellationToken cancellationToken = default)
+    public Task<string?> GetCredentialAsync(string scheme, Uri resourceUri, CancellationToken cancellationToken = default)
     {
-        // Return the token if it's valid
-        if (_token != null && _token.ExpiresAt > DateTimeOffset.UtcNow.AddMinutes(5))
+        // This provider only supports Bearer tokens
+        if (scheme != "Bearer")
         {
-            return _token.AccessToken;
+            return Task.FromResult<string?>(null);
         }
-        
-        // Try to refresh the token if we have a refresh token
-        if (_token?.RefreshToken != null && _authServerMetadata != null)
-        {
-            var newToken = await RefreshTokenAsync(_token.RefreshToken, _authServerMetadata, cancellationToken);
-            if (newToken != null)
-            {
-                _token = newToken;
-                return _token.AccessToken;
-            }
-        }
-        
-        // No valid token - auth handler will trigger the 401 flow
-        return null;
+
+        return GetBearerTokenAsync(cancellationToken);
     }
 
     /// <inheritdoc />
-    public async Task<bool> HandleUnauthorizedResponseAsync(HttpResponseMessage response, CancellationToken cancellationToken = default)
+    public async Task<(bool Success, string? RecommendedScheme)> HandleUnauthorizedResponseAsync(
+        HttpResponseMessage response, 
+        string scheme,
+        CancellationToken cancellationToken = default)
     {
+        // This provider only supports Bearer scheme
+        if (scheme != "Bearer")
+        {
+            return (false, null);
+        }
+
         try
         {
             // Get the metadata from the challenge
@@ -84,20 +81,43 @@ public async Task<bool> HandleUnauthorizedResponseAsync(HttpResponseMessage resp
                     if (token != null)
                     {
                         _token = token;
-                        return true;
+                        return (true, "Bearer");
                     }
                 }
             }
 
-            return false;
+            return (false, null);
         }
         catch (Exception ex)
         {
             Console.WriteLine($"Error handling auth challenge: {ex.Message}");
-            return false;
+            return (false, null);
         }
     }
 
+    private async Task<string?> GetBearerTokenAsync(CancellationToken cancellationToken = default)
+    {
+        // Return the token if it's valid
+        if (_token != null && _token.ExpiresAt > DateTimeOffset.UtcNow.AddMinutes(5))
+        {
+            return _token.AccessToken;
+        }
+        
+        // Try to refresh the token if we have a refresh token
+        if (_token?.RefreshToken != null && _authServerMetadata != null)
+        {
+            var newToken = await RefreshTokenAsync(_token.RefreshToken, _authServerMetadata, cancellationToken);
+            if (newToken != null)
+            {
+                _token = newToken;
+                return _token.AccessToken;
+            }
+        }
+        
+        // No valid token - auth handler will trigger the 401 flow
+        return null;
+    }
+    
     private async Task<AuthorizationServerMetadata?> GetAuthServerMetadataAsync(Uri authServerUri, CancellationToken cancellationToken)
     {
         var baseUrl = authServerUri.ToString();

src/ModelContextProtocol/Authentication/AuthorizationDelegatingHandler.cs

@@ -1,3 +1,4 @@
+using ModelContextProtocol.Authentication.Types;
 using System.Net.Http.Headers;
 
 namespace ModelContextProtocol.Authentication;
@@ -8,6 +9,7 @@ namespace ModelContextProtocol.Authentication;
 public class AuthorizationDelegatingHandler : DelegatingHandler
 {
     private readonly IMcpAuthorizationProvider _authorizationProvider;
+    private string? _currentScheme;
 
     /// <summary>
     /// Initializes a new instance of the <see cref="AuthorizationDelegatingHandler"/> class.
@@ -16,50 +18,137 @@ public class AuthorizationDelegatingHandler : DelegatingHandler
     public AuthorizationDelegatingHandler(IMcpAuthorizationProvider authorizationProvider)
     {
         _authorizationProvider = authorizationProvider ?? throw new ArgumentNullException(nameof(authorizationProvider));
+        
+        // Select first supported scheme as the default
+        _currentScheme = _authorizationProvider.SupportedSchemes.FirstOrDefault();
+        if (_currentScheme == null)
+        {
+            throw new ArgumentException("Authorization provider must support at least one authentication scheme.", nameof(authorizationProvider));
+        }
     }
 
     /// <summary>
     /// Sends an HTTP request with authentication handling.
     /// </summary>
     protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
     {
-        if (request.Headers.Authorization == null)
+        if (request.Headers.Authorization == null && _currentScheme != null)
         {
-            await AddAuthorizationHeaderAsync(request, cancellationToken);
+            await AddAuthorizationHeaderAsync(request, _currentScheme, cancellationToken);
         }
 
         var response = await base.SendAsync(request, cancellationToken);
 
         if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized)
         {
-            var handled = await _authorizationProvider.HandleUnauthorizedResponseAsync(
-                response,
-                cancellationToken);
-
-            if (handled)
+            // Gather the schemes the server wants us to use from WWW-Authenticate headers
+            var serverSchemes = ExtractServerSupportedSchemes(response);
+            
+            // Find the intersection between what the server supports and what our provider supports
+            var supportedSchemes = _authorizationProvider.SupportedSchemes.ToList();
+            string? bestSchemeMatch = null;
+            
+            // First try to find a direct match with the current scheme if it's still valid
+            string schemeUsed = request.Headers.Authorization?.Scheme ?? _currentScheme ?? string.Empty;
+            if (serverSchemes.Contains(schemeUsed) && supportedSchemes.Contains(schemeUsed))
             {
-                var retryRequest = await CloneHttpRequestMessageAsync(request);
-
-                await AddAuthorizationHeaderAsync(retryRequest, cancellationToken);
-
-                return await base.SendAsync(retryRequest, cancellationToken);
+                bestSchemeMatch = schemeUsed;
+            }
+            else
+            {
+                // Try to find any matching scheme between server and provider
+                bestSchemeMatch = serverSchemes.FirstOrDefault(scheme => supportedSchemes.Contains(scheme));
+                
+                // If still no match, default to the provider's preferred scheme
+                if (bestSchemeMatch == null && serverSchemes.Count > 0)
+                {
+                    throw new AuthenticationSchemeMismatchException(
+                        $"No matching authentication scheme found. Server supports: [{string.Join(", ", serverSchemes)}], " +
+                        $"Provider supports: [{string.Join(", ", supportedSchemes)}].",
+                        serverSchemes,
+                        supportedSchemes);
+                }
+                else if (bestSchemeMatch == null)
+                {
+                    // If the server didn't specify any schemes, use the provider's default
+                    bestSchemeMatch = supportedSchemes.FirstOrDefault();
+                }
+            }
+            
+            // If we have a scheme to try, use it
+            if (bestSchemeMatch != null)
+            {
+                // Try to handle the 401 response with the selected scheme
+                var (handled, recommendedScheme) = await _authorizationProvider.HandleUnauthorizedResponseAsync(
+                    response,
+                    bestSchemeMatch,
+                    cancellationToken);
+
+                if (handled)
+                {
+                    var retryRequest = await CloneHttpRequestMessageAsync(request);
+                    
+                    // Use the recommended scheme if provided, otherwise use our best match
+                    string schemeToUse = recommendedScheme ?? bestSchemeMatch;
+                    if (!string.IsNullOrEmpty(recommendedScheme))
+                    {
+                        _currentScheme = recommendedScheme;
+                    }
+                    else
+                    {
+                        _currentScheme = bestSchemeMatch;
+                    }
+
+                    await AddAuthorizationHeaderAsync(retryRequest, schemeToUse, cancellationToken);
+                    return await base.SendAsync(retryRequest, cancellationToken);
+                }
+                else
+                {
+                    throw new McpException(
+                        $"Failed to handle unauthorized response with scheme '{bestSchemeMatch}'. " +
+                        "The authentication provider was unable to process the authentication challenge.");
+                }
             }
         }
 
         return response;
     }
 
+    /// <summary>
+    /// Extracts the authentication schemes that the server supports from the WWW-Authenticate headers.
+    /// </summary>
+    private static List<string> ExtractServerSupportedSchemes(HttpResponseMessage response)
+    {
+        var serverSchemes = new List<string>();
+        
+        if (response.Headers.Contains("WWW-Authenticate"))
+        {
+            foreach (var authHeader in response.Headers.GetValues("WWW-Authenticate"))
+            {
+                // Extract the scheme from the WWW-Authenticate header
+                // Format is typically: "Scheme param1=value1, param2=value2"
+                string scheme = authHeader.Split(new[] { ' ', ',' }, StringSplitOptions.RemoveEmptyEntries)[0];
+                if (!string.IsNullOrEmpty(scheme))
+                {
+                    serverSchemes.Add(scheme);
+                }
+            }
+        }
+        
+        return serverSchemes;
+    }
+
     /// <summary>
     /// Adds an authorization header to the request.
     /// </summary>
-    private async Task AddAuthorizationHeaderAsync(HttpRequestMessage request, CancellationToken cancellationToken)
+    private async Task AddAuthorizationHeaderAsync(HttpRequestMessage request, string scheme, CancellationToken cancellationToken)
     {
         if (request.RequestUri != null)
         {
-            var token = await _authorizationProvider.GetCredentialAsync(request.RequestUri, cancellationToken);
+            var token = await _authorizationProvider.GetCredentialAsync(scheme, request.RequestUri, cancellationToken);
             if (!string.IsNullOrEmpty(token))
             {
-                request.Headers.Authorization = new AuthenticationHeaderValue(_authorizationProvider.AuthorizationScheme, token);
+                request.Headers.Authorization = new AuthenticationHeaderValue(scheme, token);
             }
         }
     }

src/ModelContextProtocol/Authentication/ITokenProvider.cs

@@ -7,28 +7,42 @@ namespace ModelContextProtocol.Authentication;
 public interface IMcpAuthorizationProvider
 {
     /// <summary>
-    /// Gets the authentication scheme to use with credentials from this provider.
+    /// Gets the collection of authentication schemes supported by this provider.
     /// </summary>
     /// <remarks>
     /// <para>
-    /// Common values include "Bearer" for JWT tokens and "Basic" for username/password authentication.
+    /// This property returns all authentication schemes that this provider can handle,
+    /// allowing clients to select the appropriate scheme based on server capabilities.
+    /// </para>
+    /// <para>
+    /// Common values include "Bearer" for JWT tokens, "Basic" for username/password authentication,
+    /// and "Negotiate" for integrated Windows authentication.
     /// </para>
     /// </remarks>
-    string AuthorizationScheme { get; }
+    IEnumerable<string> SupportedSchemes { get; }
 
     /// <summary>
-    /// Gets an authentication token or credential for authenticating requests to a resource.
+    /// Gets an authentication token or credential for authenticating requests to a resource
+    /// using the specified authentication scheme.
     /// </summary>
+    /// <param name="scheme">The authentication scheme to use.</param>
     /// <param name="resourceUri">The URI of the resource requiring authentication.</param>
     /// <param name="cancellationToken">A token to cancel the operation.</param>
-    /// <returns>An authentication token string or null if no token could be obtained.</returns>
-    Task<string?> GetCredentialAsync(Uri resourceUri, CancellationToken cancellationToken = default);
-    
+    /// <returns>An authentication token string or null if no token could be obtained for the specified scheme.</returns>
+    Task<string?> GetCredentialAsync(string scheme, Uri resourceUri, CancellationToken cancellationToken = default);
+
     /// <summary>
     /// Handles a 401 Unauthorized response from a resource.
     /// </summary>
     /// <param name="response">The HTTP response that contained the 401 status code.</param>
+    /// <param name="scheme">The authentication scheme that was used when the unauthorized response was received.</param>
     /// <param name="cancellationToken">A token to cancel the operation.</param>
-    /// <returns>True if the provider was able to handle the unauthorized response, otherwise false.</returns>
-    Task<bool> HandleUnauthorizedResponseAsync(HttpResponseMessage response, CancellationToken cancellationToken = default);
+    /// <returns>
+    /// A tuple containing a boolean indicating if the provider was able to handle the unauthorized response,
+    /// and the authentication scheme that should be used for the next attempt.
+    /// </returns>
+    Task<(bool Success, string? RecommendedScheme)> HandleUnauthorizedResponseAsync(
+        HttpResponseMessage response, 
+        string scheme,
+        CancellationToken cancellationToken = default);
 }

src/ModelContextProtocol/Authentication/Types/AuthenticationSchemeMismatchException.cs

@@ -0,0 +1,33 @@
+namespace ModelContextProtocol.Authentication.Types;
+
+/// <summary>
+/// Exception thrown when no compatible authentication scheme can be found between the client and server.
+/// </summary>
+public class AuthenticationSchemeMismatchException : Exception
+{
+    /// <summary>
+    /// Gets the authentication schemes supported by the server.
+    /// </summary>
+    public IReadOnlyList<string> ServerSchemes { get; }
+
+    /// <summary>
+    /// Gets the authentication schemes supported by the client provider.
+    /// </summary>
+    public IReadOnlyList<string> ProviderSchemes { get; }
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="AuthenticationSchemeMismatchException"/> class.
+    /// </summary>
+    /// <param name="message">The exception message.</param>
+    /// <param name="serverSchemes">The authentication schemes supported by the server.</param>
+    /// <param name="providerSchemes">The authentication schemes supported by the client provider.</param>
+    public AuthenticationSchemeMismatchException(
+        string message,
+        IEnumerable<string> serverSchemes,
+        IEnumerable<string> providerSchemes)
+        : base(message)
+    {
+        ServerSchemes = serverSchemes.ToList().AsReadOnly();
+        ProviderSchemes = providerSchemes.ToList().AsReadOnly();
+    }
+}