WIP: Authorization Support (Using ASP.NET Core Native AuthN/AuthZ Integration)

.gitignore

@@ -80,4 +80,7 @@ docs/api
 
 # Rider
 .idea/
-.idea_modules/
+.idea_modules/
+
+# Misc project metadata
+.specs/

ModelContextProtocol.sln

@@ -56,6 +56,10 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ModelContextProtocol.AspNet
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ModelContextProtocol.AspNetCore.Tests", "tests\ModelContextProtocol.AspNetCore.Tests\ModelContextProtocol.AspNetCore.Tests.csproj", "{85557BA6-3D29-4C95-A646-2A972B1C2F25}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ProtectedMCPClient", "samples\ProtectedMCPClient\ProtectedMCPClient.csproj", "{CF41BB82-4E3E-5E86-BCB6-0DF3A1B48CF2}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ProtectedMCPServer", "samples\ProtectedMCPServer\ProtectedMCPServer.csproj", "{80944644-54DC-2AFF-C60E-9885AD81E509}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -110,6 +114,14 @@ Global
 		{85557BA6-3D29-4C95-A646-2A972B1C2F25}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{85557BA6-3D29-4C95-A646-2A972B1C2F25}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{85557BA6-3D29-4C95-A646-2A972B1C2F25}.Release|Any CPU.Build.0 = Release|Any CPU
+		{CF41BB82-4E3E-5E86-BCB6-0DF3A1B48CF2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{CF41BB82-4E3E-5E86-BCB6-0DF3A1B48CF2}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{CF41BB82-4E3E-5E86-BCB6-0DF3A1B48CF2}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{CF41BB82-4E3E-5E86-BCB6-0DF3A1B48CF2}.Release|Any CPU.Build.0 = Release|Any CPU
+		{80944644-54DC-2AFF-C60E-9885AD81E509}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{80944644-54DC-2AFF-C60E-9885AD81E509}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{80944644-54DC-2AFF-C60E-9885AD81E509}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{80944644-54DC-2AFF-C60E-9885AD81E509}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -128,6 +140,8 @@ Global
 		{17B8453F-AB72-99C5-E5EA-D0B065A6AE65} = {02EA681E-C7D8-13C7-8484-4AC65E1B71E8}
 		{37B6A5E0-9995-497D-8B43-3BC6870CC716} = {A2F1F52A-9107-4BF8-8C3F-2F6670E7D0AD}
 		{85557BA6-3D29-4C95-A646-2A972B1C2F25} = {2A77AF5C-138A-4EBB-9A13-9205DCD67928}
+		{CF41BB82-4E3E-5E86-BCB6-0DF3A1B48CF2} = {02EA681E-C7D8-13C7-8484-4AC65E1B71E8}
+		{80944644-54DC-2AFF-C60E-9885AD81E509} = {02EA681E-C7D8-13C7-8484-4AC65E1B71E8}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {384A3888-751F-4D75-9AE5-587330582D89}

samples/AspNetCoreSseServer/Program.cs

@@ -2,6 +2,7 @@
 using OpenTelemetry.Metrics;
 using OpenTelemetry.Trace;
 using OpenTelemetry;
+using ModelContextProtocol.AspNetCore;
 
 var builder = WebApplication.CreateBuilder(args);
 builder.Services.AddMcpServer()

samples/ProtectedMCPClient/Program.cs

@@ -0,0 +1,100 @@
+using System.Net.Http;
+using System.Threading.Tasks;
+using ModelContextProtocol.Auth;
+using ModelContextProtocol.Client;
+using ModelContextProtocol.Protocol.Transport;
+
+namespace ProtectedMCPClient;
+
+class Program
+{
+    static async Task Main(string[] args)
+    {
+        Console.WriteLine("MCP Secure Weather Client with OAuth Authentication");
+        Console.WriteLine("==================================================");
+        Console.WriteLine();
+
+        // Create the authorization config with HTTP listener
+        var authConfig = new AuthorizationConfig
+        {
+            ClientId = "04f79824-ab56-4511-a7cb-d7deaea92dc0",
+            Scopes = ["User.Read"]
+        }.UseHttpListener(hostname: "localhost", listenPort: 1170);
+
+        // Create an HTTP client with OAuth handling
+        var oauthHandler = new OAuthDelegatingHandler(
+            redirectUri: authConfig.RedirectUri,
+            clientId: authConfig.ClientId,
+            clientName: authConfig.ClientName,
+            scopes: authConfig.Scopes,
+            authorizationHandler: authConfig.AuthorizationHandler)
+        {
+            // The OAuth handler needs an inner handler
+            InnerHandler = new HttpClientHandler()
+        };
+
+        var httpClient = new HttpClient(oauthHandler);
+        var serverUrl = "http://localhost:7071/sse"; // Default server URL
+
+        // Allow the user to specify a different server URL
+        Console.WriteLine($"Server URL (press Enter for default: {serverUrl}):");
+        var userInput = Console.ReadLine();
+        if (!string.IsNullOrWhiteSpace(userInput))
+        {
+            serverUrl = userInput;
+        }
+
+        Console.WriteLine();
+        Console.WriteLine($"Connecting to weather server at {serverUrl}...");
+        Console.WriteLine("When prompted for authorization, a browser window will open automatically.");
+        Console.WriteLine("Complete the authentication in the browser, and this application will continue automatically.");
+        Console.WriteLine();
+
+        try
+        {
+            // Create SseClientTransportOptions with the server URL
+            var transportOptions = new SseClientTransportOptions
+            {
+                Endpoint = new Uri(serverUrl),
+                Name = "Secure Weather Client"
+            };
+
+            // Create SseClientTransport with our authenticated HTTP client
+            var transport = new SseClientTransport(transportOptions, httpClient);
+
+            // Create an MCP client using the factory method with our transport
+            var client = await McpClientFactory.CreateAsync(transport);
+
+            // Get the list of available tools
+            var tools = await client.ListToolsAsync();
+            if (tools.Count == 0)
+            {
+                Console.WriteLine("No tools available on the server.");
+                return;
+            }
+
+            Console.WriteLine($"Found {tools.Count} tools on the server.");
+            Console.WriteLine();
+
+            // Call the protected-data tool which requires authentication
+            if (tools.Any(t => t.Name == "protected-data"))
+            {
+                Console.WriteLine("Calling protected-data tool...");
+                var result = await client.CallToolAsync("protected-data");
+                Console.WriteLine("Result: " + result.Content[0].Text);
+                Console.WriteLine();
+            }
+        }
+        catch (Exception ex)
+        {
+            Console.WriteLine($"Error: {ex.Message}");
+            if (ex.InnerException != null)
+            {
+                Console.WriteLine($"Inner error: {ex.InnerException.Message}");
+            }
+        }
+
+        Console.WriteLine("Press any key to exit...");
+        Console.ReadKey();
+    }
+}

samples/ProtectedMCPClient/ProtectedMCPClient.csproj

@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net8.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\ModelContextProtocol\ModelContextProtocol.csproj" />
+  </ItemGroup>
+
+</Project>

samples/ProtectedMCPServer/Program.cs

@@ -0,0 +1,180 @@
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.Extensions.Options;
+using ModelContextProtocol.AspNetCore.Auth;
+using ModelContextProtocol.Protocol.Types;
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+
+var builder = WebApplication.CreateBuilder(args);
+
+// Configure MCP Server
+builder.Services.AddMcpServer(options =>
+{
+    options.ServerInstructions = "This is an MCP server with OAuth authorization enabled.";
+
+    // Configure regular server capabilities like tools, prompts, resources
+    options.Capabilities = new()
+    {
+        Tools = new()
+        {
+            // Simple Echo tool
+            CallToolHandler = (request, cancellationToken) =>
+            {
+                if (request.Params?.Name == "echo")
+                {
+                    if (request.Params.Arguments?.TryGetValue("message", out var message) is not true)
+                    {
+                        throw new Exception("It happens.");
+                    }
+
+                    return new ValueTask<CallToolResponse>(new CallToolResponse()
+                    {
+                        Content = [new Content() { Text = $"Echo: {message}", Type = "text" }]
+                    });
+                }
+
+                // Protected tool that requires authorization
+                if (request.Params?.Name == "protected-data")
+                {
+                    // This tool will only be accessible to authenticated clients
+                    return new ValueTask<CallToolResponse>(new CallToolResponse()
+                    {
+                        Content = [new Content() { Text = "This is protected data that only authorized clients can access" }]
+                    });
+                }
+
+                throw new Exception("It happens.");
+            },
+
+            ListToolsHandler = async (_, _) => new()
+            {
+                Tools =
+                [
+                    new()
+                    {
+                        Name = "echo",
+                        Description = "Echoes back the message you send"
+                    },
+                    new()
+                    {
+                        Name = "protected-data",
+                        Description = "Returns protected data that requires authorization"
+                    }
+                ]
+            }
+        }
+    };
+})
+.WithHttpTransport()
+.WithAuthorization(metadata => 
+{
+    metadata.AuthorizationServers.Add(new Uri("https://login.microsoftonline.com/a2213e1c-e51e-4304-9a0d-effe57f31655/v2.0"));
+    metadata.BearerMethodsSupported.Add("header");
+    metadata.ScopesSupported.AddRange(["weather.read", "weather.write"]);
+
+    // Add optional documentation
+    metadata.ResourceDocumentation = new Uri("https://docs.example.com/api/weather");
+});
+
+// Configure authentication using the built-in authentication system
+builder.Services.AddAuthentication(options => 
+{
+    options.DefaultScheme = "Bearer";
+    options.DefaultChallengeScheme = "Bearer"; // Ensure challenges use Bearer scheme
+})
+.AddScheme<AuthenticationSchemeOptions, SimpleAuthHandler>("Bearer", options => { });
+
+// Add authorization policy for MCP
+builder.Services.AddAuthorization(options =>
+{
+    options.AddPolicy("McpAuth", policy =>
+    {
+        policy.RequireAuthenticatedUser();
+        policy.RequireClaim("scope", "weather.read");
+    });
+});
+
+var app = builder.Build();
+
+app.UseAuthentication();
+app.UseMcpAuthenticationResponse();
+app.UseAuthorization();
+
+// Map MCP endpoints with authorization
+app.MapMcp();
+
+Console.WriteLine("Starting MCP server with authorization at http://localhost:7071");
+Console.WriteLine("PRM Document URL: http://localhost:7071/.well-known/oauth-protected-resource");
+
+Console.WriteLine();
+Console.WriteLine("Testing mode: Server will accept ANY non-empty token for authentication");
+Console.WriteLine();
+Console.WriteLine("To test the server:");
+Console.WriteLine("1. Use an MCP client that supports authorization");
+Console.WriteLine("2. The server will accept any non-empty token sent by the client");
+Console.WriteLine("3. Tokens will be logged to the console for debugging");
+Console.WriteLine();
+Console.WriteLine("Press Ctrl+C to stop the server");
+
+app.Run("http://localhost:7071/");
+
+// Simple auth handler that accepts any non-empty token for testing
+// In a real app, you'd use a JWT handler or other proper authentication
+class SimpleAuthHandler : AuthenticationHandler<AuthenticationSchemeOptions>
+{
+    public SimpleAuthHandler(
+        IOptionsMonitor<AuthenticationSchemeOptions> options,
+        ILoggerFactory logger,
+        UrlEncoder encoder) 
+        : base(options, logger, encoder)
+    {
+    }
+
+    protected override Task<AuthenticateResult> HandleAuthenticateAsync()
+    {
+        // Get the Authorization header
+        if (!Request.Headers.TryGetValue("Authorization", out var authHeader))
+        {
+            return Task.FromResult(AuthenticateResult.Fail("Authorization header missing"));
+        }
+
+        // Parse the token
+        var headerValue = authHeader.ToString();
+        if (!headerValue.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
+        {
+            return Task.FromResult(AuthenticateResult.Fail("Bearer token missing"));
+        }
+
+        var token = headerValue["Bearer ".Length..].Trim();
+
+        // Accept any non-empty token for testing purposes
+        if (string.IsNullOrEmpty(token))
+        {
+            return Task.FromResult(AuthenticateResult.Fail("Token cannot be empty"));
+        }
+
+        // Log the received token for debugging
+        Console.WriteLine($"Received and accepted token: {token}");
+
+        // Create a claims identity with required claims
+        var claims = new[]
+        {
+            new Claim(ClaimTypes.Name, "demo_user"),
+            new Claim(ClaimTypes.NameIdentifier, "user123"),
+            new Claim("scope", "weather.read")
+        };
+
+        var identity = new ClaimsIdentity(claims, "Bearer");
+        var principal = new ClaimsPrincipal(identity);
+        var ticket = new AuthenticationTicket(principal, "Bearer");
+
+        return Task.FromResult(AuthenticateResult.Success(ticket));
+    }
+
+    protected override Task HandleChallengeAsync(AuthenticationProperties properties)
+    {
+        // No need to manually set WWW-Authenticate header anymore - handled by middleware
+        Response.StatusCode = 401;
+        return Task.CompletedTask;
+    }
+}

samples/ProtectedMCPServer/Properties/launchSettings.json

@@ -0,0 +1,12 @@
+{
+  "profiles": {
+    "ProtectedMCPServer": {
+      "commandName": "Project",
+      "launchBrowser": true,
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      },
+      "applicationUrl": "https://localhost:55598;http://localhost:55599"
+    }
+  }
+}

samples/ProtectedMCPServer/ProtectedMCPServer.csproj

@@ -0,0 +1,13 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net9.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\ModelContextProtocol.AspNetCore\ModelContextProtocol.AspNetCore.csproj" />
+  </ItemGroup>
+
+</Project>

samples/ProtectedMCPServer/Tools/HttpClientExt.cs

@@ -0,0 +1,13 @@
+using System.Text.Json;
+
+namespace ModelContextProtocol;
+
+internal static class HttpClientExt
+{
+    public static async Task<JsonDocument> ReadJsonDocumentAsync(this HttpClient client, string requestUri)
+    {
+        using var response = await client.GetAsync(requestUri);
+        response.EnsureSuccessStatusCode();
+        return await JsonDocument.ParseAsync(await response.Content.ReadAsStreamAsync());
+    }
+}