WIP: Authorization support

.gitignore

@@ -80,4 +80,7 @@ docs/api
 
 # Rider
 .idea/
-.idea_modules/
+.idea_modules/
+
+# Specs
+.specs/

ModelContextProtocol.sln

@@ -56,6 +56,10 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ModelContextProtocol.AspNet
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ModelContextProtocol.AspNetCore.Tests", "tests\ModelContextProtocol.AspNetCore.Tests\ModelContextProtocol.AspNetCore.Tests.csproj", "{85557BA6-3D29-4C95-A646-2A972B1C2F25}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AuthorizationExample", "samples\AuthorizationExample\AuthorizationExample.csproj", "{C2E8E0D9-5F7B-38D8-3D5D-041471BD350C}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AuthorizationServerExample", "samples\AuthorizationServerExample\AuthorizationServerExample.csproj", "{05C500AF-9CF6-C2E7-2782-95271975A5DE}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -110,6 +114,14 @@ Global
 		{85557BA6-3D29-4C95-A646-2A972B1C2F25}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{85557BA6-3D29-4C95-A646-2A972B1C2F25}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{85557BA6-3D29-4C95-A646-2A972B1C2F25}.Release|Any CPU.Build.0 = Release|Any CPU
+		{C2E8E0D9-5F7B-38D8-3D5D-041471BD350C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{C2E8E0D9-5F7B-38D8-3D5D-041471BD350C}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{C2E8E0D9-5F7B-38D8-3D5D-041471BD350C}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{C2E8E0D9-5F7B-38D8-3D5D-041471BD350C}.Release|Any CPU.Build.0 = Release|Any CPU
+		{05C500AF-9CF6-C2E7-2782-95271975A5DE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{05C500AF-9CF6-C2E7-2782-95271975A5DE}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{05C500AF-9CF6-C2E7-2782-95271975A5DE}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{05C500AF-9CF6-C2E7-2782-95271975A5DE}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -128,6 +140,8 @@ Global
 		{17B8453F-AB72-99C5-E5EA-D0B065A6AE65} = {02EA681E-C7D8-13C7-8484-4AC65E1B71E8}
 		{37B6A5E0-9995-497D-8B43-3BC6870CC716} = {A2F1F52A-9107-4BF8-8C3F-2F6670E7D0AD}
 		{85557BA6-3D29-4C95-A646-2A972B1C2F25} = {2A77AF5C-138A-4EBB-9A13-9205DCD67928}
+		{C2E8E0D9-5F7B-38D8-3D5D-041471BD350C} = {02EA681E-C7D8-13C7-8484-4AC65E1B71E8}
+		{05C500AF-9CF6-C2E7-2782-95271975A5DE} = {02EA681E-C7D8-13C7-8484-4AC65E1B71E8}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {384A3888-751F-4D75-9AE5-587330582D89}

samples/AuthorizationExample/AuthorizationExample.csproj

@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net8.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\ModelContextProtocol\ModelContextProtocol.csproj" />
+  </ItemGroup>
+
+</Project>

samples/AuthorizationExample/Program.cs

@@ -0,0 +1,92 @@
+using System.Diagnostics;
+using ModelContextProtocol.Client;
+using ModelContextProtocol.Protocol.Auth;
+using ModelContextProtocol.Protocol.Transport;
+
+namespace AuthorizationExample;
+
+/// <summary>
+/// Example demonstrating how to use the MCP C# SDK with OAuth authorization.
+/// </summary>
+public class Program
+{
+    public static async Task Main(string[] args)
+    {
+        // Define the MCP server endpoint that requires OAuth authentication
+        var serverEndpoint = new Uri("http://localhost:7071/sse");
+
+        // Configuration values for OAuth redirect
+        string hostname = "localhost";
+        int port = 13261;
+        string callbackPath = "/oauth/callback/";
+
+        // Set up the SSE transport with authorization support
+        var transportOptions = new SseClientTransportOptions
+        {
+            Endpoint = serverEndpoint,
+            AuthorizationOptions = new AuthorizationOptions
+            {
+                // Pre-registered client credentials (if applicable)
+                ClientId = "04f79824-ab56-4511-a7cb-d7deaea92dc0",
+
+                // Setting some pre-defined scopes the client requests.
+                Scopes = ["User.Read"],
+
+                // Specify the exact same redirect URIs that are registered with the OAuth server
+                RedirectUris = new[] 
+                { 
+                    $"http://{hostname}:{port}{callbackPath}" 
+                },                
+                // Configure the authorize callback with the same hostname, port, and path
+                AuthorizeCallback = AuthorizationService.CreateHttpListenerAuthorizeCallback(
+                    openBrowser: async (url) =>
+                    {
+                        Console.WriteLine($"Opening browser to authorize at: {url}");
+                        Process.Start(new ProcessStartInfo(url) { UseShellExecute = true });
+                    },
+                    hostname: hostname,
+                    listenPort: port,
+                    redirectPath: callbackPath
+                )
+            }
+        };
+
+        Console.WriteLine("Connecting to MCP server...");
+
+        try
+        {
+            // Create the client with authorization-enabled transport
+            var transport = new SseClientTransport(transportOptions);
+            var client = await McpClientFactory.CreateAsync(transport);
+
+            Console.WriteLine("Successfully connected and authorized!");
+
+            // Print the list of tools available from the server.
+            Console.WriteLine("\nAvailable tools:");
+            foreach (var tool in await client.ListToolsAsync())
+            {
+                Console.WriteLine($"  - {tool.Name}: {tool.Description}");
+            }
+
+            // Execute a tool (this would normally be driven by LLM tool invocations).
+            Console.WriteLine("\nCalling 'echo' tool...");
+            var result = await client.CallToolAsync(
+                "echo",
+                new Dictionary<string, object?>() { ["message"] = "Hello MCP!" },
+                cancellationToken: CancellationToken.None);
+
+            // echo always returns one and only one text content object
+            Console.WriteLine($"Tool response: {result.Content.First(c => c.Type == "text").Text}");
+        }
+        catch (Exception ex)
+        {
+            Console.WriteLine($"Error: {ex.Message}");
+            if (ex.InnerException != null)
+            {
+                Console.WriteLine($"Inner Error: {ex.InnerException.Message}");
+            }
+            // Print the stack trace for debugging
+            Console.WriteLine($"Stack Trace:\n{ex.StackTrace}");
+        }
+    }
+}

samples/AuthorizationServerExample/AuthorizationServerExample.csproj

@@ -0,0 +1,15 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net8.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\ModelContextProtocol\ModelContextProtocol.csproj" />
+    <ProjectReference Include="..\..\src\ModelContextProtocol.AspNetCore\ModelContextProtocol.AspNetCore.csproj" />
+  </ItemGroup>
+
+</Project>

samples/AuthorizationServerExample/Program.cs

@@ -0,0 +1,132 @@
+using ModelContextProtocol;
+using ModelContextProtocol.Configuration;
+using ModelContextProtocol.Protocol.Auth;
+using ModelContextProtocol.Protocol.Types;
+using ModelContextProtocol.Server.Auth;
+
+namespace AuthorizationServerExample;
+
+/// <summary>
+/// Example demonstrating how to implement authorization in an MCP server.
+/// </summary>
+public class Program
+{
+    public static async Task Main(string[] args)
+    {
+        Console.WriteLine("=== MCP Server with Authorization Support ===");
+        Console.WriteLine("This example demonstrates how to implement OAuth authorization in an MCP server.");
+        Console.WriteLine();
+
+        var builder = WebApplication.CreateBuilder(args);
+
+        // 1. Define the Protected Resource Metadata for the server
+        // This is the information that will be provided to clients when they need to authenticate
+        var prm = new ProtectedResourceMetadata
+        {
+            Resource = new Uri("http://localhost:7071"), // Changed from HTTPS to HTTP for local development
+            AuthorizationServers = [ new Uri("https://login.microsoftonline.com/a2213e1c-e51e-4304-9a0d-effe57f31655/v2.0")], // Let's use a dummy Entra ID tenant here
+            BearerMethodsSupported = ["header"], // We support the Authorization header
+            ScopesSupported = ["mcp.tools", "mcp.prompts", "mcp.resources"], // Scopes supported by this resource
+            ResourceDocumentation = new Uri("https://example.com/docs/mcp-server-auth") // Optional documentation URL
+        };
+
+        // 2. Define a token validator function
+        // This function receives the token from the Authorization header and should validate it
+        // In a real application, this would verify the token with your identity provider
+        async Task<bool> ValidateToken(string token)
+        {
+            // For demo purposes, we'll accept any token.
+            return true;
+        }
+
+        // 3. Create an authorization provider with the PRM and token validator
+        var authProvider = new BasicServerAuthorizationProvider(prm, ValidateToken);        // 4. Configure the MCP server with authorization
+        // WithAuthorization will automatically configure:
+        // - Authorization provider registration
+        // - Protected resource metadata endpoint (/.well-known/oauth-protected-resource)
+        // - Token validation middleware
+        // - Authorization for all MCP endpoints
+        builder.Services.AddMcpServer(options =>
+            {
+                options.ServerInstructions = "This is an MCP server with OAuth authorization enabled.";
+
+                // Configure regular server capabilities like tools, prompts, resources
+                options.Capabilities = new()
+                {
+                    Tools = new()
+                    {
+                        // Simple Echo tool
+
+                        CallToolHandler = (request, cancellationToken) =>
+                        {
+                            if (request.Params?.Name == "echo")
+                            {
+                                if (request.Params.Arguments?.TryGetValue("message", out var message) is not true)
+                                {
+                                    throw new McpException("Missing required argument 'message'");
+                                }
+
+                                return new ValueTask<CallToolResponse>(new CallToolResponse()
+                                {
+                                    Content = [new Content() { Text = $"Echo: {message}", Type = "text" }]
+                                });
+                            }
+
+                            // Protected tool that requires authorization
+                            if (request.Params?.Name == "protected-data")
+                            {
+                                // This tool will only be accessible to authenticated clients
+                                return new ValueTask<CallToolResponse>(new CallToolResponse()
+                                {
+                                    Content = [new Content() { Text = "This is protected data that only authorized clients can access" }]
+                                });
+                            }
+
+                            throw new McpException($"Unknown tool: '{request.Params?.Name}'");
+                        },
+
+                        ListToolsHandler = async (_, _) => new()
+                        {
+                            Tools = 
+                            [
+                                new() 
+                                { 
+                                    Name = "echo", 
+                                    Description = "Echoes back the message you send" 
+                                },
+                                new()
+                                {
+                                    Name = "protected-data",
+                                    Description = "Returns protected data that requires authorization"
+                                }
+                            ]
+                        }
+                    }
+                };
+            })
+            .WithAuthorization(authProvider)  // Enable authorization with our provider
+            .WithHttpTransport();             // Configure HTTP transport
+
+        var app = builder.Build();
+
+        // 5. Map MCP endpoints
+        // Note: Authorization is now handled automatically by WithAuthorization()
+        app.MapMcp();
+
+        // Configure the server URL
+        app.Urls.Add("http://localhost:7071");
+
+        Console.WriteLine("Starting MCP server with authorization at http://localhost:7071");
+        Console.WriteLine("PRM Document URL: http://localhost:7071/.well-known/oauth-protected-resource");
+
+        Console.WriteLine();
+        Console.WriteLine("To test the server:");
+        Console.WriteLine("1. Use an MCP client that supports authorization");
+        Console.WriteLine("2. When prompted for authorization, enter 'valid_token' to gain access");
+        Console.WriteLine("3. Any other token value will be rejected with a 401 Unauthorized");
+        Console.WriteLine();
+        Console.WriteLine("Press Ctrl+C to stop the server");
+
+        await app.RunAsync();
+    }
+}

samples/AuthorizationServerExample/Properties/launchSettings.json

@@ -0,0 +1,12 @@
+{
+  "profiles": {
+    "AuthorizationServerExample": {
+      "commandName": "Project",
+      "launchBrowser": true,
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      },
+      "applicationUrl": "https://localhost:50481;http://localhost:50482"
+    }
+  }
+}

src/ModelContextProtocol.AspNetCore/AuthorizationExtensions.cs

@@ -0,0 +1,23 @@
+using Microsoft.AspNetCore.Builder;
+
+namespace ModelContextProtocol.AspNetCore;
+
+/// <summary>
+/// Extension methods for using MCP authorization in ASP.NET Core applications.
+/// </summary>
+public static class AuthorizationExtensions
+{
+    /// <summary>
+    /// Adds MCP authorization middleware to the specified <see cref="IApplicationBuilder"/>, which enables
+    /// OAuth 2.0 authorization for MCP servers.
+    /// 
+    /// Note: This method is called automatically when using <c>WithAuthorization()</c>, so you typically
+    /// don't need to call it directly. It's available for advanced scenarios where more control is needed.
+    /// </summary>
+    /// <param name="builder">The <see cref="IApplicationBuilder"/> to add the middleware to.</param>
+    /// <returns>A reference to this instance after the operation has completed.</returns>
+    public static IApplicationBuilder UseMcpAuthorization(this IApplicationBuilder builder)
+    {
+        return builder.UseMiddleware<AuthorizationMiddleware>();
+    }
+}