Change Clone to take string and make ValidResources non-static

Copilot · halter73 · Copilot · commit 040a1d2ad4df · 2026-02-13T01:38:47.000Z
Per feedback:
- Changed ProtectedResourceMetadata.Clone() to take string? instead of Uri? parameter
- Changed ValidResources from static to instance property (no need for try/finally)
- Updated HandleDefaultResourceMetadataRequestAsync to build resource string directly without intermediate Uri
- Trim trailing slashes from path when building derived resource string
- Added manual HTTP metadata checks to both tests to verify PRM document contents
- Removed try/finally from ResourceMetadata_PreservesExplicitTrailingSlash (not needed with instance property)

Co-authored-by: halter73 &lt;54385+halter73@users.noreply.github.com&gt;
diff --git a/src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationHandler.cs b/src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationHandler.cs
@@ -56,17 +56,28 @@ private async Task<bool> HandleDefaultResourceMetadataRequestAsync()
             return false;
         }
 
-        var deriveResourceUriBuilder = new UriBuilder(Request.Scheme, Request.Host.Host)
+        // Build the derived resource string directly without trailing slash
+        var scheme = Request.Scheme;
+        var host = Request.Host.Host;
+        var port = Request.Host.Port;
+        var path = $"{Request.PathBase}{resourceSuffix}".TrimEnd('/');
+        
+        string derivedResource;
+        if (port.HasValue && !IsDefaultPort(scheme, port.Value))
         {
-            Path = $"{Request.PathBase}{resourceSuffix}",
-        };
-
-        if (Request.Host.Port is not null)
+            derivedResource = $"{scheme}://{host}:{port.Value}{path}";
+        }
+        else
         {
-            deriveResourceUriBuilder.Port = Request.Host.Port.Value;
+            derivedResource = $"{scheme}://{host}{path}";
         }
 
-        return await HandleResourceMetadataRequestAsync(deriveResourceUriBuilder.Uri);
+        return await HandleResourceMetadataRequestAsync(derivedResource);
+    }
+
+    private static bool IsDefaultPort(string scheme, int port)
+    {
+        return (scheme == "http" && port == 80) || (scheme == "https" && port == 443);
     }
 
     /// <summary>
@@ -128,9 +139,9 @@ private static string GetConfiguredResourceMetadataPath(Uri resourceMetadataUri)
         return path.StartsWith('/') ? path : $"/{path}";
     }
 
-    private async Task<bool> HandleResourceMetadataRequestAsync(Uri? derivedResourceUri = null)
+    private async Task<bool> HandleResourceMetadataRequestAsync(string? derivedResource = null)
     {
-        var resourceMetadata = Options.ResourceMetadata?.Clone(derivedResourceUri);
+        var resourceMetadata = Options.ResourceMetadata?.Clone(derivedResource);
 
         if (Options.Events.OnResourceMetadataRequest is not null)
         {
@@ -165,7 +176,7 @@ private async Task<bool> HandleResourceMetadataRequestAsync(Uri? derivedResource
             throw new InvalidOperationException("ResourceMetadata has not been configured. Please set McpAuthenticationOptions.ResourceMetadata or ensure context.ResourceMetadata is set inside McpAuthenticationOptions.Events.OnResourceMetadataRequest.");
         }
 
-        resourceMetadata.Resource ??= derivedResourceUri?.ToString().TrimEnd('/');
+        resourceMetadata.Resource ??= derivedResource;
 
         if (resourceMetadata.Resource is null)
         {
diff --git a/src/ModelContextProtocol.Core/Authentication/ProtectedResourceMetadata.cs b/src/ModelContextProtocol.Core/Authentication/ProtectedResourceMetadata.cs
@@ -201,13 +201,13 @@ public sealed class ProtectedResourceMetadata
     /// <summary>
     /// Creates a deep copy of this <see cref="ProtectedResourceMetadata"/> instance, optionally overriding the Resource property.
     /// </summary>
-    /// <param name="derivedResourceUri">Optional URI to use for the Resource property if the original Resource is null.</param>
+    /// <param name="derivedResource">Optional resource URI string to use for the Resource property if the original Resource is null.</param>
     /// <returns>A new instance of <see cref="ProtectedResourceMetadata"/> with cloned values.</returns>
-    public ProtectedResourceMetadata Clone(Uri? derivedResourceUri = null)
+    public ProtectedResourceMetadata Clone(string? derivedResource = null)
     {
         return new ProtectedResourceMetadata
         {
-            Resource = Resource ?? derivedResourceUri?.ToString().TrimEnd('/'),
+            Resource = Resource ?? derivedResource,
             AuthorizationServers = [.. AuthorizationServers],
             BearerMethodsSupported = [.. BearerMethodsSupported],
             ScopesSupported = [.. ScopesSupported],
diff --git a/tests/ModelContextProtocol.AspNetCore.Tests/OAuth/AuthTests.cs b/tests/ModelContextProtocol.AspNetCore.Tests/OAuth/AuthTests.cs
@@ -761,7 +761,24 @@ public async Task ResourceMetadata_DoesNotAddTrailingSlash()
         // Don't explicitly set Resource - let it be derived from the request
         await using var app = await StartMcpServerAsync();
 
-        // Authenticate with the client - this will derive the resource URI from the server URL
+        // First, manually check the PRM document doesn't contain a trailing slash
+        using var metadataResponse = await HttpClient.GetAsync(
+            "/.well-known/oauth-protected-resource",
+            TestContext.Current.CancellationToken
+        );
+
+        Assert.Equal(HttpStatusCode.OK, metadataResponse.StatusCode);
+
+        var metadata = await metadataResponse.Content.ReadFromJsonAsync<ProtectedResourceMetadata>(
+            McpJsonUtilities.DefaultOptions,
+            TestContext.Current.CancellationToken
+        );
+
+        Assert.NotNull(metadata);
+        Assert.Equal("http://localhost:5000", metadata.Resource);
+        Assert.DoesNotMatch(@"/$", metadata.Resource); // No trailing slash
+
+        // Then authenticate with the client - this will use the derived resource URI
         await using var transport = new HttpClientTransport(new()
         {
             Endpoint = new(McpServerUrl),
@@ -786,46 +803,54 @@ public async Task ResourceMetadata_PreservesExplicitTrailingSlash()
         // This test verifies that explicitly configured trailing slashes are preserved
         const string resourceWithTrailingSlash = "http://localhost:5000/";
         
-        // Explicitly configure ValidResources to accept the trailing slash version
-        var originalValidResources = ModelContextProtocol.TestOAuthServer.Program.ValidResources;
-        try
+        // Configure ValidResources to accept the trailing slash version for this test
+        TestOAuthServer.ValidResources = [resourceWithTrailingSlash, "http://localhost:5000/mcp"];
+        
+        Builder.Services.Configure<McpAuthenticationOptions>(McpAuthenticationDefaults.AuthenticationScheme, options =>
         {
-            ModelContextProtocol.TestOAuthServer.Program.ValidResources = [resourceWithTrailingSlash, "http://localhost:5000/mcp"];
-            
-            Builder.Services.Configure<McpAuthenticationOptions>(McpAuthenticationDefaults.AuthenticationScheme, options =>
+            options.ResourceMetadata = new ProtectedResourceMetadata
             {
-                options.ResourceMetadata = new ProtectedResourceMetadata
-                {
-                    Resource = resourceWithTrailingSlash,
-                    AuthorizationServers = { OAuthServerUrl },
-                    ScopesSupported = ["mcp:tools"],
-                };
-            });
+                Resource = resourceWithTrailingSlash,
+                AuthorizationServers = { OAuthServerUrl },
+                ScopesSupported = ["mcp:tools"],
+            };
+        });
 
-            await using var app = await StartMcpServerAsync();
+        await using var app = await StartMcpServerAsync();
 
-            // Authenticate with the client
-            await using var transport = new HttpClientTransport(new()
-            {
-                Endpoint = new(McpServerUrl),
-                OAuth = new()
-                {
-                    ClientId = "demo-client",
-                    ClientSecret = "demo-secret",
-                    RedirectUri = new Uri("http://localhost:1179/callback"),
-                    AuthorizationRedirectDelegate = HandleAuthorizationUrlAsync,
-                },
-            }, HttpClient, LoggerFactory);
+        // First, manually check the PRM document contains the trailing slash
+        using var metadataResponse = await HttpClient.GetAsync(
+            "/.well-known/oauth-protected-resource",
+            TestContext.Current.CancellationToken
+        );
 
-            // This should succeed with the explicitly configured trailing slash
-            // If the client incorrectly trimmed the slash, ValidResources would reject it
-            await using var client = await McpClient.CreateAsync(
-                transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken);
-        }
-        finally
+        Assert.Equal(HttpStatusCode.OK, metadataResponse.StatusCode);
+
+        var metadata = await metadataResponse.Content.ReadFromJsonAsync<ProtectedResourceMetadata>(
+            McpJsonUtilities.DefaultOptions,
+            TestContext.Current.CancellationToken
+        );
+
+        Assert.NotNull(metadata);
+        Assert.Equal(resourceWithTrailingSlash, metadata.Resource);
+        Assert.Matches(@"/$", metadata.Resource); // Has trailing slash
+
+        // Then authenticate with the client
+        await using var transport = new HttpClientTransport(new()
         {
-            // Restore original ValidResources
-            ModelContextProtocol.TestOAuthServer.Program.ValidResources = originalValidResources;
-        }
+            Endpoint = new(McpServerUrl),
+            OAuth = new()
+            {
+                ClientId = "demo-client",
+                ClientSecret = "demo-secret",
+                RedirectUri = new Uri("http://localhost:1179/callback"),
+                AuthorizationRedirectDelegate = HandleAuthorizationUrlAsync,
+            },
+        }, HttpClient, LoggerFactory);
+
+        // This should succeed with the explicitly configured trailing slash
+        // If the client incorrectly trimmed the slash, ValidResources would reject it
+        await using var client = await McpClient.CreateAsync(
+            transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken);
     }
 }
diff --git a/tests/ModelContextProtocol.TestOAuthServer/Program.cs b/tests/ModelContextProtocol.TestOAuthServer/Program.cs
@@ -17,7 +17,7 @@ public sealed class Program
 
     // Port 5000 is used by tests and port 7071 is used by the ProtectedMcpServer sample
     // Per MCP spec, URIs should not have trailing slashes unless semantically significant
-    public static string[] ValidResources { get; set; } = [
+    public string[] ValidResources { get; set; } = [
         "http://localhost:5000",
         "http://localhost:5000/mcp",
         "http://localhost:7071"

Original file line number	Diff line number	Diff line change
`@@ -56,17 +56,28 @@ private async Task<bool> HandleDefaultResourceMetadataRequestAsync()`
`56`	`56`	`return false;`
`57`	`57`	`}`
`58`	`58`
`59`		`- var deriveResourceUriBuilder = new UriBuilder(Request.Scheme, Request.Host.Host)`
	`59`	`+ // Build the derived resource string directly without trailing slash`
	`60`	`+ var scheme = Request.Scheme;`
	`61`	`+ var host = Request.Host.Host;`
	`62`	`+ var port = Request.Host.Port;`
	`63`	`+ var path = $"{Request.PathBase}{resourceSuffix}".TrimEnd('/');`
	`64`	`+`
	`65`	`+ string derivedResource;`
	`66`	`+ if (port.HasValue && !IsDefaultPort(scheme, port.Value))`
`60`	`67`	`{`
`61`		`- Path = $"{Request.PathBase}{resourceSuffix}",`
`62`		`- };`
`63`		`-`
`64`		`- if (Request.Host.Port is not null)`
	`68`	`+ derivedResource = $"{scheme}://{host}:{port.Value}{path}";`
	`69`	`+ }`
	`70`	`+ else`
`65`	`71`	`{`
`66`		`- deriveResourceUriBuilder.Port = Request.Host.Port.Value;`
	`72`	`+ derivedResource = $"{scheme}://{host}{path}";`
`67`	`73`	`}`
`68`	`74`
`69`		`- return await HandleResourceMetadataRequestAsync(deriveResourceUriBuilder.Uri);`
	`75`	`+ return await HandleResourceMetadataRequestAsync(derivedResource);`
	`76`	`+ }`
	`77`	`+`
	`78`	`+ private static bool IsDefaultPort(string scheme, int port)`
	`79`	`+ {`
	`80`	`+ return (scheme == "http" && port == 80) \|\| (scheme == "https" && port == 443);`
`70`	`81`	`}`
`71`	`82`
`72`	`83`	`/// <summary>`
`@@ -128,9 +139,9 @@ private static string GetConfiguredResourceMetadataPath(Uri resourceMetadataUri)`
`128`	`139`	`return path.StartsWith('/') ? path : $"/{path}";`
`129`	`140`	`}`
`130`	`141`
`131`		`- private async Task<bool> HandleResourceMetadataRequestAsync(Uri? derivedResourceUri = null)`
	`142`	`+ private async Task<bool> HandleResourceMetadataRequestAsync(string? derivedResource = null)`
`132`	`143`	`{`
`133`		`- var resourceMetadata = Options.ResourceMetadata?.Clone(derivedResourceUri);`
	`144`	`+ var resourceMetadata = Options.ResourceMetadata?.Clone(derivedResource);`
`134`	`145`
`135`	`146`	`if (Options.Events.OnResourceMetadataRequest is not null)`
`136`	`147`	`{`
`@@ -165,7 +176,7 @@ private async Task<bool> HandleResourceMetadataRequestAsync(Uri? derivedResource`
`165`	`176`	`throw new InvalidOperationException("ResourceMetadata has not been configured. Please set McpAuthenticationOptions.ResourceMetadata or ensure context.ResourceMetadata is set inside McpAuthenticationOptions.Events.OnResourceMetadataRequest.");`
`166`	`177`	`}`
`167`	`178`
`168`		`- resourceMetadata.Resource ??= derivedResourceUri?.ToString().TrimEnd('/');`
	`179`	`+ resourceMetadata.Resource ??= derivedResource;`
`169`	`180`
`170`	`181`	`if (resourceMetadata.Resource is null)`
`171`	`182`	`{`