Merge branch 'localden/experimental' of https://github.com/modelcontextprotocol/csharp-sdk into localden/experimental

Author: localden

Directory.Packages.props

@@ -8,7 +8,6 @@
 
   <!-- Product dependencies netstandard -->
   <ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.0'">
-    <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="9.0.4" />
     <PackageVersion Include="Microsoft.Bcl.Memory" Version="$(System9Version)" />
     <PackageVersion Include="Microsoft.Extensions.Hosting.Abstractions" Version="8.0.1" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.3" />

src/Directory.Build.props

@@ -6,7 +6,7 @@
     <RepositoryUrl>https://github.com/modelcontextprotocol/csharp-sdk</RepositoryUrl>
     <RepositoryType>git</RepositoryType>
     <VersionPrefix>0.2.0</VersionPrefix>
-    <VersionSuffix>preview.3</VersionSuffix>
+    <VersionSuffix>preview.4</VersionSuffix>
     <Authors>ModelContextProtocolOfficial</Authors>
     <Copyright>© Anthropic and Contributors.</Copyright>
     <PackageTags>ModelContextProtocol;mcp;ai;llm</PackageTags>

src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationExceptions.cs

@@ -39,21 +39,9 @@ public static AuthenticationBuilder AddMcp(
         string displayName,
         Action<McpAuthenticationOptions>? configureOptions = null)
     {
-        if (configureOptions != null)
-        {
-            if (authenticationScheme == McpAuthenticationDefaults.AuthenticationScheme)
-            {
-                builder.Services.Configure(configureOptions);
-            }
-            else
-            {
-                builder.Services.Configure(authenticationScheme, configureOptions);
-            }
-        }
-
         return builder.AddScheme<McpAuthenticationOptions, McpAuthenticationHandler>(
             authenticationScheme,
             displayName,
-            options => { }); // No-op to avoid overriding
+            configureOptions); // No-op to avoid overriding
     }
 }

src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationHandler.cs

@@ -70,7 +70,7 @@ private string GetAbsoluteResourceMetadataUri()
 
         if (resourceMetadataUri.IsAbsoluteUri)
         {
-            return resourceMetadataUri.ToString();
+            return currentPath;
         }
 
         // For relative URIs, combine with the base URL

src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationOptions.cs

@@ -87,41 +87,6 @@ public Func<HttpContext, ProtectedResourceMetadata>? ProtectedResourceMetadataPr
         set => _resourceMetadataProvider = value;
     }    
 
-    /// <summary>
-    /// Sets a static resource metadata instance that will be returned for all requests.
-    /// </summary>
-    /// <param name="metadata">The static resource metadata to use.</param>
-    /// <returns>The current options instance for method chaining.</returns>
-    /// <remarks>
-    /// This is a convenience method equivalent to setting the <see cref="ResourceMetadata"/> property.
-    /// </remarks>
-    /// <exception cref="ArgumentNullException">Thrown when metadata is null.</exception>
-    /// <exception cref="ArgumentException">Thrown when the Resource property of the metadata is null.</exception>
-    public McpAuthenticationOptions UseStaticResourceMetadata(ProtectedResourceMetadata metadata)
-    {
-        ArgumentNullException.ThrowIfNull(metadata);
-        if (metadata.Resource == null)
-        {
-            throw new ArgumentException("The Resource property of the metadata cannot be null. A valid resource URI is required.", nameof(metadata));
-        }
-        
-        ResourceMetadata = metadata;
-        return this;
-    }
-
-    /// <summary>
-    /// Sets a delegate to dynamically provide resource metadata for each request.
-    /// </summary>
-    /// <param name="provider">A delegate that returns resource metadata for a given HTTP context.</param>
-    /// <returns>The current options instance for method chaining.</returns>
-    /// <remarks>
-    /// This is a convenience method equivalent to setting the <see cref="ProtectedResourceMetadataProvider"/> property.
-    /// </remarks>
-    public McpAuthenticationOptions UseDynamicResourceMetadata(Func<HttpContext, ProtectedResourceMetadata> provider)
-    {
-        ProtectedResourceMetadataProvider = provider ?? throw new ArgumentNullException(nameof(provider));
-        return this;
-    }    
 
     /// <summary>
     /// Gets the resource metadata for the current request.

src/ModelContextProtocol.Core/Authentication/GenericOAuthProvider.cs

@@ -50,7 +50,8 @@ public class GenericOAuthProvider : IMcpCredentialProvider
     private readonly List<string> _scopes;
     private readonly string _clientId;
     private readonly string _clientSecret;
-    private readonly HttpClient _httpClient;    private readonly AuthorizationHelpers _authorizationHelpers;
+    private readonly HttpClient _httpClient;
+    private readonly AuthorizationHelpers _authorizationHelpers;
     private readonly ILogger _logger;
     private readonly Func<IReadOnlyList<Uri>, Uri?> _authServerSelector;
     private readonly AuthorizationUrlHandler _authorizationUrlHandler;
@@ -60,7 +61,9 @@ public class GenericOAuthProvider : IMcpCredentialProvider
 
     private static readonly JsonSerializerOptions _jsonOptions = new() { PropertyNameCaseInsensitive = true };
     private TokenContainer? _token;
-    private AuthorizationServerMetadata? _authServerMetadata;    /// <summary>
+    private AuthorizationServerMetadata? _authServerMetadata;
+
+    /// <summary>
     /// Initializes a new instance of the <see cref="GenericOAuthProvider"/> class.
     /// </summary>
     /// <param name="serverUrl">The MCP server URL.</param>

src/ModelContextProtocol.Core/Client/McpClient.cs

@@ -129,11 +129,12 @@ public async Task ConnectAsync(CancellationToken cancellationToken = default)
             try
             {
                 // Send initialize request
+                string requestProtocol = _options.ProtocolVersion ?? McpSession.LatestProtocolVersion;
                 var initializeResponse = await this.SendRequestAsync(
                     RequestMethods.Initialize,
                     new InitializeRequestParams
                     {
-                        ProtocolVersion = _options.ProtocolVersion,
+                        ProtocolVersion = requestProtocol,
                         Capabilities = _options.Capabilities ?? new ClientCapabilities(),
                         ClientInfo = _options.ClientInfo ?? DefaultImplementation,
                     },
@@ -154,10 +155,13 @@ public async Task ConnectAsync(CancellationToken cancellationToken = default)
                 _serverInstructions = initializeResponse.Instructions;
 
                 // Validate protocol version
-                if (initializeResponse.ProtocolVersion != _options.ProtocolVersion)
+                bool isResponseProtocolValid =
+                    _options.ProtocolVersion is { } optionsProtocol ? optionsProtocol == initializeResponse.ProtocolVersion :
+                    McpSession.SupportedProtocolVersions.Contains(initializeResponse.ProtocolVersion);
+                if (!isResponseProtocolValid)
                 {
-                    LogServerProtocolVersionMismatch(EndpointName, _options.ProtocolVersion, initializeResponse.ProtocolVersion);
-                    throw new McpException($"Server protocol version mismatch. Expected {_options.ProtocolVersion}, got {initializeResponse.ProtocolVersion}");
+                    LogServerProtocolVersionMismatch(EndpointName, requestProtocol, initializeResponse.ProtocolVersion);
+                    throw new McpException($"Server protocol version mismatch. Expected {requestProtocol}, got {initializeResponse.ProtocolVersion}");
                 }
 
                 // Send initialized notification

src/ModelContextProtocol.Core/Client/McpClientOptions.cs

@@ -34,11 +34,18 @@ public class McpClientOptions
     /// Gets or sets the protocol version to request from the server, using a date-based versioning scheme.
     /// </summary>
     /// <remarks>
+    /// <para>
     /// The protocol version is a key part of the initialization handshake. The client and server must 
-    /// agree on a compatible protocol version to communicate successfully. If the server doesn't support
-    /// the requested version, it will respond with a version mismatch error.
+    /// agree on a compatible protocol version to communicate successfully.
+    /// </para>
+    /// <para>
+    /// If non-<see langword="null"/>, this version will be sent to the server, and the handshake
+    /// will fail if the version in the server's response does not match this version.
+    /// If <see langword="null"/>, the client will request the latest version supported by the server
+    /// but will allow any supported version that the server advertizes in its response.
+    /// </para>
     /// </remarks>
-    public string ProtocolVersion { get; set; } = "2024-11-05";
+    public string? ProtocolVersion { get; set; }
 
     /// <summary>
     /// Gets or sets a timeout for the client-server initialization handshake sequence.

src/ModelContextProtocol.Core/Client/StreamableHttpClientSessionTransport.cs

@@ -97,30 +97,30 @@ internal async Task<HttpResponseMessage> SendHttpRequestAsync(JsonRpcMessage mes
         }
 
         var rpcRequest = message as JsonRpcRequest;
-        JsonRpcMessage? rpcResponseCandidate = null;
+        JsonRpcMessageWithId? rpcResponseOrError = null;
 
         if (response.Content.Headers.ContentType?.MediaType == "application/json")
         {
             var responseContent = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
-            rpcResponseCandidate = await ProcessMessageAsync(responseContent, cancellationToken).ConfigureAwait(false);
+            rpcResponseOrError = await ProcessMessageAsync(responseContent, rpcRequest, cancellationToken).ConfigureAwait(false);
         }
         else if (response.Content.Headers.ContentType?.MediaType == "text/event-stream")
         {
             using var responseBodyStream = await response.Content.ReadAsStreamAsync(cancellationToken);
-            rpcResponseCandidate = await ProcessSseResponseAsync(responseBodyStream, rpcRequest, cancellationToken).ConfigureAwait(false);
+            rpcResponseOrError = await ProcessSseResponseAsync(responseBodyStream, rpcRequest, cancellationToken).ConfigureAwait(false);
         }
 
         if (rpcRequest is null)
         {
             return response;
         }
 
-        if (rpcResponseCandidate is not JsonRpcMessageWithId messageWithId || messageWithId.Id != rpcRequest.Id)
+        if (rpcResponseOrError is null)
         {
             throw new McpException($"Streamable HTTP POST response completed without a reply to request with ID: {rpcRequest.Id}");
         }
 
-        if (rpcRequest.Method == RequestMethods.Initialize && rpcResponseCandidate is JsonRpcResponse)
+        if (rpcRequest.Method == RequestMethods.Initialize && rpcResponseOrError is JsonRpcResponse)
         {
             // We've successfully initialized! Copy session-id and start GET request if any.
             if (response.Headers.TryGetValues("mcp-session-id", out var sessionIdValues))
@@ -199,20 +199,20 @@ private async Task ReceiveUnsolicitedMessagesAsync()
                 continue;
             }
 
-            var message = await ProcessMessageAsync(sseEvent.Data, cancellationToken).ConfigureAwait(false);
+            var rpcResponseOrError = await ProcessMessageAsync(sseEvent.Data, relatedRpcRequest, cancellationToken).ConfigureAwait(false);
 
-            // The server SHOULD end the response here anyway, but we won't leave it to chance. This transport makes
+            // The server SHOULD end the HTTP response body here anyway, but we won't leave it to chance. This transport makes
             // a GET request for any notifications that might need to be sent after the completion of each POST.
-            if (message is JsonRpcMessageWithId messageWithId && relatedRpcRequest?.Id == messageWithId.Id)
+            if (rpcResponseOrError is not null)
             {
-                return messageWithId;
+                return rpcResponseOrError;
             }
         }
 
         return null;
     }
 
-    private async Task<JsonRpcMessage?> ProcessMessageAsync(string data, CancellationToken cancellationToken)
+    private async Task<JsonRpcMessageWithId?> ProcessMessageAsync(string data, JsonRpcRequest? relatedRpcRequest, CancellationToken cancellationToken)
     {
         try
         {
@@ -224,7 +224,12 @@ private async Task ReceiveUnsolicitedMessagesAsync()
             }
 
             await WriteMessageAsync(message, cancellationToken).ConfigureAwait(false);
-            return message;
+            if (message is JsonRpcResponse or JsonRpcError &&
+                message is JsonRpcMessageWithId rpcResponseOrError &&
+                rpcResponseOrError.Id == relatedRpcRequest?.Id)
+            {
+                return rpcResponseOrError;
+            }
         }
         catch (JsonException ex)
         {

src/ModelContextProtocol.Core/McpSession.cs

@@ -28,6 +28,16 @@ internal sealed partial class McpSession : IDisposable
     private static readonly Histogram<double> s_serverOperationDuration = Diagnostics.CreateDurationHistogram(
         "mcp.server.operation.duration", "Measures the duration of inbound message processing.", longBuckets: false);
 
+    /// <summary>The latest version of the protocol supported by this implementation.</summary>
+    internal const string LatestProtocolVersion = "2025-03-26";
+
+    /// <summary>All protocol versions supported by this implementation.</summary>
+    internal static readonly string[] SupportedProtocolVersions =
+    [
+        "2024-11-05",
+        LatestProtocolVersion,
+    ];
+
     private readonly bool _isServer;
     private readonly string _transportKind;
     private readonly ITransport _transport;