Add resource parameter to /token and /refresh requests

Author: halter73

src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationExtensions.cs

@@ -42,6 +42,6 @@ public static AuthenticationBuilder AddMcp(
         return builder.AddScheme<McpAuthenticationOptions, McpAuthenticationHandler>(
             authenticationScheme,
             displayName,
-            configureOptions); // No-op to avoid overriding
+            configureOptions);
     }
 }

src/ModelContextProtocol.Core/Authentication/ClientOAuthProvider.cs

@@ -1,5 +1,6 @@
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Abstractions;
+using System.Collections.Specialized;
 using System.Diagnostics.CodeAnalysis;
 using System.Security.Cryptography;
 using System.Text;
@@ -127,8 +128,6 @@ public ClientOAuthProvider(
     {
         ThrowIfNotBearerScheme(scheme);
 
-        // REVIEW: Should we be doing anything with the resourceUri? If not, why is it part of the IMcpCredentialProvider interface?
-
         // Return the token if it's valid
         if (_token != null && _token.ExpiresAt > DateTimeOffset.UtcNow.AddMinutes(5))
         {
@@ -138,7 +137,7 @@ public ClientOAuthProvider(
         // Try to refresh the token if we have a refresh token
         if (_token?.RefreshToken != null && _authServerMetadata != null)
         {
-            var newToken = await RefreshTokenAsync(_token.RefreshToken, _authServerMetadata, cancellationToken).ConfigureAwait(false);
+            var newToken = await RefreshTokenAsync(_token.RefreshToken, resourceUri, _authServerMetadata, cancellationToken).ConfigureAwait(false);
             if (newToken != null)
             {
                 _token = newToken;
@@ -276,15 +275,15 @@ private async Task PerformOAuthAuthorizationAsync(
         return null;
     }
 
-    private async Task<TokenContainer> RefreshTokenAsync(string refreshToken, AuthorizationServerMetadata authServerMetadata, CancellationToken cancellationToken)
+    private async Task<TokenContainer> RefreshTokenAsync(string refreshToken, Uri resourceUri, AuthorizationServerMetadata authServerMetadata, CancellationToken cancellationToken)
     {
         var requestContent = new FormUrlEncodedContent(new Dictionary<string, string>
         {
             ["grant_type"] = "refresh_token",
             ["refresh_token"] = refreshToken,
             ["client_id"] = GetClientIdOrThrow(),
             ["client_secret"] = _clientSecret ?? string.Empty,
-            // Add resource
+            ["resource"] = resourceUri.ToString(),
         });
 
         using var request = new HttpRequestMessage(HttpMethod.Post, authServerMetadata.TokenEndpoint)
@@ -311,7 +310,7 @@ private async Task<TokenContainer> RefreshTokenAsync(string refreshToken, Author
             return null;
         }
 
-        return await ExchangeCodeForTokenAsync(authServerMetadata, authCode!, codeVerifier, cancellationToken).ConfigureAwait(false);
+        return await ExchangeCodeForTokenAsync(protectedResourceMetadata, authServerMetadata, authCode!, codeVerifier, cancellationToken).ConfigureAwait(false);
     }
 
     private Uri BuildAuthorizationUrl(
@@ -326,7 +325,7 @@ private Uri BuildAuthorizationUrl(
         }
 
         var queryParams = HttpUtility.ParseQueryString(string.Empty);
-        queryParams["client_id"] = _clientId;
+        queryParams["client_id"] = GetClientIdOrThrow();
         queryParams["redirect_uri"] = _redirectUri.ToString();
         queryParams["response_type"] = "code";
         queryParams["code_challenge"] = codeChallenge;
@@ -348,6 +347,7 @@ private Uri BuildAuthorizationUrl(
     }
 
     private async Task<TokenContainer> ExchangeCodeForTokenAsync(
+        ProtectedResourceMetadata protectedResourceMetadata,
         AuthorizationServerMetadata authServerMetadata,
         string authorizationCode,
         string codeVerifier,
@@ -361,7 +361,7 @@ private async Task<TokenContainer> ExchangeCodeForTokenAsync(
             ["client_id"] = GetClientIdOrThrow(),
             ["code_verifier"] = codeVerifier,
             ["client_secret"] = _clientSecret ?? string.Empty,
-            // TODO: Add resource
+            ["resource"] = protectedResourceMetadata.Resource.ToString(),
         });
 
         using var request = new HttpRequestMessage(HttpMethod.Post, authServerMetadata.TokenEndpoint)

tests/ModelContextProtocol.TestOAuthServer/Program.cs

@@ -221,7 +221,7 @@ public async Task RunServerAsync(string[]? args = null, CancellationToken cancel
 
             // Generate a new authorization code
             var code = OAuthUtils.GenerateRandomToken();
-            var requestedScopes = scope?.Split(' ').ToList() ?? new List<string>();
+            var requestedScopes = scope?.Split(' ').ToList() ?? [];
 
             // Store code information for later verification
             _authCodes[code] = new AuthorizationCodeInfo
@@ -247,7 +247,6 @@ public async Task RunServerAsync(string[]? args = null, CancellationToken cancel
         app.MapPost("/token", async (HttpContext context) =>
         {
             var form = await context.Request.ReadFormAsync();
-            var grant_type = form["grant_type"].ToString();
 
             // Authenticate client
             var client = AuthenticateClient(context, form);
@@ -261,6 +260,18 @@ public async Task RunServerAsync(string[]? args = null, CancellationToken cancel
                     type: "https://tools.ietf.org/html/rfc6749#section-5.2");
             }
 
+            // Validate resource in accordance with RFC 8707
+            var resource = form["resource"].ToString();
+            if (string.IsNullOrEmpty(resource) || !ValidResources.Contains(resource))
+            {
+                return Results.BadRequest(new OAuthErrorResponse
+                {
+                    Error = "invalid_target",
+                    ErrorDescription = "The specified resource is not valid."
+                });
+            }
+
+            var grant_type = form["grant_type"].ToString();
             if (grant_type == "authorization_code")
             {
                 var code = form["code"].ToString();