Cleanup

Author: localden

samples/AuthorizationServerExample/Program.cs

@@ -1,5 +1,5 @@
 using ModelContextProtocol;
-using ModelContextProtocol.AspNetCore;
+using ModelContextProtocol.Configuration;
 using ModelContextProtocol.Protocol.Auth;
 using ModelContextProtocol.Protocol.Types;
 using ModelContextProtocol.Server.Auth;
@@ -40,9 +40,12 @@ async Task<bool> ValidateToken(string token)
         }
 
         // 3. Create an authorization provider with the PRM and token validator
-        var authProvider = new BasicServerAuthorizationProvider(prm, ValidateToken);
-
-        // 4. Configure the MCP server with authorization
+        var authProvider = new BasicServerAuthorizationProvider(prm, ValidateToken);        // 4. Configure the MCP server with authorization
+        // WithAuthorization will automatically configure:
+        // - Authorization provider registration
+        // - Protected resource metadata endpoint (/.well-known/oauth-protected-resource)
+        // - Token validation middleware
+        // - Authorization for all MCP endpoints
         builder.Services.AddMcpServer(options =>
             {
                 options.ServerInstructions = "This is an MCP server with OAuth authorization enabled.";
@@ -106,14 +109,8 @@ async Task<bool> ValidateToken(string token)
 
         var app = builder.Build();
 
-        // 5. Enable authorization middleware (this must be before MapMcp)
-        // This middleware does several things:
-        // - Serves the PRM document at /.well-known/oauth-protected-resource
-        // - Checks Authorization header on requests
-        // - Returns 401 + WWW-Authenticate when authorization is missing or invalid
-        app.UseMcpAuthorization();
-        
-        // 6. Map MCP endpoints
+        // 5. Map MCP endpoints
+        // Note: Authorization is now handled automatically by WithAuthorization()
         app.MapMcp();
 
         // Configure the server URL

src/ModelContextProtocol.AspNetCore/AuthorizationExtensions.cs

@@ -10,6 +10,9 @@ public static class AuthorizationExtensions
     /// <summary>
     /// Adds MCP authorization middleware to the specified <see cref="IApplicationBuilder"/>, which enables
     /// OAuth 2.0 authorization for MCP servers.
+    /// 
+    /// Note: This method is called automatically when using <c>WithAuthorization()</c>, so you typically
+    /// don't need to call it directly. It's available for advanced scenarios where more control is needed.
     /// </summary>
     /// <param name="builder">The <see cref="IApplicationBuilder"/> to add the middleware to.</param>
     /// <returns>A reference to this instance after the operation has completed.</returns>

src/ModelContextProtocol.AspNetCore/AuthorizationMiddleware.cs

@@ -25,9 +25,7 @@ public AuthorizationMiddleware(RequestDelegate next, ILogger<AuthorizationMiddle
     {
         _next = next ?? throw new ArgumentNullException(nameof(next));
         _logger = logger ?? throw new ArgumentNullException(nameof(logger));
-    }
-
-    /// <summary>
+    }    /// <summary>
     /// Processes a request.
     /// </summary>
     /// <param name="context">The HTTP context.</param>
@@ -42,6 +40,7 @@ public async Task InvokeAsync(
         // Check if authorization is configured
         if (authProvider == null)
         {
+            _logger.LogDebug("Authorization is not configured, skipping authorization middleware");
             // Authorization is not configured, proceed to the next middleware
             await _next(context);
             return;
@@ -54,7 +53,7 @@ public async Task InvokeAsync(
             _logger.LogDebug("Serving Protected Resource Metadata document");
             context.Response.ContentType = "application/json";
             await JsonSerializer.SerializeAsync(
-                context.Response.Body, 
+                context.Response.Body,
                 authProvider.GetProtectedResourceMetadata(),
                 McpJsonUtilities.DefaultOptions.GetTypeInfo(typeof(ProtectedResourceMetadata)));
             return;

src/ModelContextProtocol.AspNetCore/HttpMcpServerBuilderExtensions.cs

@@ -1,4 +1,5 @@
-using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.DependencyInjection.Extensions;
 using ModelContextProtocol.AspNetCore;
 using ModelContextProtocol.Server;
 
@@ -27,6 +28,9 @@ public static IMcpServerBuilder WithHttpTransport(this IMcpServerBuilder builder
         builder.Services.TryAddSingleton<SseHandler>();
         builder.Services.AddHostedService<IdleTrackingBackgroundService>();
 
+        // Add our auto-registration for the authorization middleware
+        builder.Services.AddTransient<IStartupFilter, McpAuthorizationStartupFilter>();
+        
         if (configureOptions is not null)
         {
             builder.Services.Configure(configureOptions);

src/ModelContextProtocol.AspNetCore/McpAuthorizationStartupFilter.cs

@@ -0,0 +1,37 @@
+// filepath: c:\Users\ddelimarsky\source\csharp-sdk\src\ModelContextProtocol.AspNetCore\McpAuthorizationStartupFilter.cs
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.DependencyInjection;
+using ModelContextProtocol.Protocol.Auth;
+using System;
+
+namespace ModelContextProtocol.AspNetCore;
+
+/// <summary>
+/// StartupFilter that automatically adds the MCP authorization middleware when authorization is configured.
+/// </summary>
+internal class McpAuthorizationStartupFilter : IStartupFilter
+{
+    /// <summary>
+    /// Configures the middleware pipeline to include MCP authorization middleware when needed.
+    /// </summary>
+    /// <param name="next">The next configurator in the chain.</param>
+    /// <returns>A new pipeline configuration action.</returns>
+    public Action<IApplicationBuilder> Configure(Action<IApplicationBuilder> next)
+    {
+        return app =>
+        {
+            // Check if authorization provider is registered
+            bool hasAuthProvider = app.ApplicationServices.GetService<IServerAuthorizationProvider>() != null;
+            
+            // If authorization is configured, add the middleware
+            if (hasAuthProvider)
+            {
+                app.UseMcpAuthorization();
+            }
+            
+            // Continue with the rest of the pipeline configuration
+            next(app);
+        };
+    }
+}

src/ModelContextProtocol.AspNetCore/McpEndpointRouteBuilderExtensions.cs

@@ -75,13 +75,14 @@ public static IEndpointConventionBuilder MapMcp(this IEndpointRouteBuilder endpo
 
         var messageEndpoint = sseGroup.MapPost("/message", sseHandler.HandleMessageRequestAsync)
             .WithMetadata(new AcceptsMetadata(["application/json"]))
-            .WithMetadata(new ProducesResponseTypeMetadata(StatusCodes.Status202Accepted));
-
-        // Apply authorization filter directly to SSE endpoints if authorization is configured
+            .WithMetadata(new ProducesResponseTypeMetadata(StatusCodes.Status202Accepted));        // Apply authorization filter directly to the endpoints if authorization is configured
         if (authProvider != null)
         {
-            // Apply authorization to both endpoints using the extension method
+            // Apply authorization to both SSE endpoints using the extension method
             new[] { sseEndpoint, messageEndpoint }.AddMcpAuthorization(authProvider, endpoints.ServiceProvider);
+            
+            // Apply authorization to the Streamable HTTP endpoints using the extension method
+            streamableHttpGroup.AddMcpAuthorization(authProvider, endpoints.ServiceProvider);
         }
         return mcpGroup;
     }

src/ModelContextProtocol/Configuration/McpServerAuthorizationExtensions.cs

@@ -1,29 +1,39 @@
+using Microsoft.Extensions.DependencyInjection;
 using ModelContextProtocol.Protocol.Auth;
 using ModelContextProtocol.Protocol.Types;
 using ModelContextProtocol.Server;
 using ModelContextProtocol.Utils;
 
-namespace Microsoft.Extensions.DependencyInjection;
+namespace ModelContextProtocol.Configuration;
 
 /// <summary>
 /// Extension methods for configuring authorization in MCP servers.
 /// </summary>
 public static class McpServerAuthorizationExtensions
-{
+{    
     /// <summary>
-    /// Adds authorization support to the MCP server.
+    /// Adds authorization support to the MCP server and automatically configures the required middleware.
+    /// You don't need to call UseMcpAuthorization() separately - it will be handled automatically.
     /// </summary>
     /// <param name="builder">The <see cref="IMcpServerBuilder"/> to configure.</param>
     /// <param name="authorizationProvider">The authorization provider that will validate tokens and provide metadata.</param>
     /// <returns>The <see cref="IMcpServerBuilder"/> so that additional calls can be chained.</returns>
     /// <exception cref="ArgumentNullException"><paramref name="builder"/> or <paramref name="authorizationProvider"/> is <see langword="null"/>.</exception>
+    /// <remarks>
+    /// This method automatically configures all the necessary components for authorization:
+    /// 1. Registers the authorization provider in the DI container
+    /// 2. Configures authorization middleware to serve the protected resource metadata
+    /// 3. Adds authorization to MCP endpoints when they are mapped
+    /// 
+    /// You no longer need to call app.UseMcpAuthorization() explicitly.
+    /// </remarks>
     public static IMcpServerBuilder WithAuthorization(
         this IMcpServerBuilder builder,
         IServerAuthorizationProvider authorizationProvider)
     {
         Throw.IfNull(builder);
-        Throw.IfNull(authorizationProvider);
-
+        Throw.IfNull(authorizationProvider);        
+        
         // Register the authorization provider in the DI container
         builder.Services.AddSingleton(authorizationProvider);