-
Notifications
You must be signed in to change notification settings - Fork 339
WIP: Authorization Support (Using ASP.NET Core Native AuthN/AuthZ Integration) #377
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
src/ModelContextProtocol.AspNetCore/Auth/McpAuthorizationExtensions.cs
Outdated
Show resolved
Hide resolved
src/ModelContextProtocol.AspNetCore/Auth/McpAuthorizationExtensions.cs
Outdated
Show resolved
Hide resolved
src/ModelContextProtocol.AspNetCore/Auth/McpAuthorizationExtensions.cs
Outdated
Show resolved
Hide resolved
src/ModelContextProtocol.AspNetCore/Auth/McpAuthorizationExtensions.cs
Outdated
Show resolved
Hide resolved
src/ModelContextProtocol.AspNetCore/Auth/McpAuthenticationResponseMiddlewareExtensions.cs
Outdated
Show resolved
Hide resolved
Co-authored-by: Stephen Halter <[email protected]>
Co-authored-by: Stephen Halter <[email protected]>
…sions.cs Co-authored-by: Stephen Halter <[email protected]>
src/ModelContextProtocol.AspNetCore/Auth/McpAuthorizationExtensions.cs
Outdated
Show resolved
Hide resolved
_httpClientFactory = httpClientFactory; | ||
} | ||
|
||
[McpServerTool, Description("Get weather alerts for a US state.")] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was expecting to see the Name="get_alerts"
annotation. Would the Name
property be auto-deduced from the function name?
})); | ||
} | ||
|
||
[McpServerTool, Description("Get weather forecast for a location.")] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Re: AuthZ checks.
I was expecting to see something like the following at the class definition or on a per-method basis like the usual ASP.Net role annotations.
[Authorize(Policy = "AuthenticatedUserPolicy")]
[RequiredScope("Weather")]
public class WeatherTools
How would I specify required roles (or mor egenerally, AuthZ requirements) on a per-class/method basis?
|
||
internal static class HttpClientExt | ||
{ | ||
public static async Task<JsonDocument> ReadJsonDocumentAsync(this HttpClient client, string requestUri) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Isn't this the same as https://learn.microsoft.com/en-us/dotnet/standard/serialization/system-text-json/httpclient-extensions?
namespace ProtectedMCPServer.Tools; | ||
|
||
[McpServerToolType] | ||
public sealed class WeatherTools |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Does it need/have to be sealed
?
Co-authored-by: Tyler James Leonhardt <[email protected]>
…-sdk into localden/experimental
var response = await _httpClient.GetAsync(new Uri(baseUrl + path), cancellationToken); | ||
if (response.IsSuccessStatusCode) | ||
{ | ||
var json = await response.Content.ReadAsStringAsync(cancellationToken); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using ReadAsStream and then Deserializing the stream will save allocating the string because the Stream contents are not buffered.
var response = await _httpClient.SendAsync(request, cancellationToken); | ||
if (response.IsSuccessStatusCode) | ||
{ | ||
var json = await response.Content.ReadAsStringAsync(cancellationToken); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above. Use ReadAsStream
/// <summary> | ||
/// Default values used by MCP authentication. | ||
/// </summary> | ||
public static class McpAuthenticationDefaults |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this need to be public? Who consumes this? Are these documented in the MCP spec?
src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationHandler.cs
Outdated
Show resolved
Hide resolved
…cationHandler.cs Co-authored-by: Stephen Toub <[email protected]>
Implements the authorization flow for clients and servers, per specification. Instead of re-implementing everything from scratch, this follows the suggestions from #349 and uses the native ASP.NET Core constructs to handle post-discovery steps server-side.
Developer experience
Server
HTTP context in tools
.AddHttpContextAccessor
is used to ensure that tools can access the HTTP context (such as the authorization header contents).Tools that want to use the HTTP context will need to amend their signatures to include a reference to
IHttpContextAccessor
, like this:Client