Multi-scheme support

localden · localden · commit 31f611ac3dfe · 2025-05-04T18:55:45.000-07:00
diff --git a/samples/ProtectedMCPClient/BasicOAuthAuthorizationProvider.cs b/samples/ProtectedMCPClient/BasicOAuthAuthorizationProvider.cs
@@ -33,7 +33,7 @@ public class BasicOAuthAuthorizationProvider(
     private AuthorizationServerMetadata? _authServerMetadata;
 
     /// <inheritdoc />
-    public IEnumerable<string> SupportedSchemes => new[] { "DPoP" };
+    public IEnumerable<string> SupportedSchemes => new[] { "Bearer" };
 
     /// <inheritdoc />
     public Task<string?> GetCredentialAsync(string scheme, Uri resourceUri, CancellationToken cancellationToken = default)
diff --git a/samples/ProtectedMCPServer/Program.cs b/samples/ProtectedMCPServer/Program.cs
@@ -51,6 +51,10 @@
         OnChallenge = context =>
         {
             Console.WriteLine($"Challenging client to authenticate with Entra ID");
+            
+            // Skip the default Bearer header - MCP handler will provide the complete one
+            context.HandleResponse();
+            
             return Task.CompletedTask;
         }
     };
@@ -72,6 +76,34 @@
         
         return metadata;
     };
+    
+    // Specify authentication schemes that this server supports
+    options.SupportedAuthenticationSchemes.Add("Bearer");
+    options.SupportedAuthenticationSchemes.Add("Basic");
+    
+    // For a server that doesn't want to support Bearer, you would simply not add it:
+    // options.SupportedAuthenticationSchemes.Add("Basic");
+    // options.SupportedAuthenticationSchemes.Add("Digest");
+    
+    // You can also use the dynamic provider for more flexible scheme selection:
+    /*
+    options.SupportedAuthenticationSchemesProvider = context =>
+    {
+        // You can use context information to determine which schemes to offer
+        var schemes = new List<string>();
+        
+        // Add Bearer for most clients
+        schemes.Add("Bearer");
+        
+        // Example of conditional scheme based on client type or other factors
+        if (context.Request.Headers.UserAgent.ToString().Contains("SpecialClient"))
+        {
+            schemes.Add("Basic");
+        }
+        
+        return schemes;
+    };
+    */
 });
 
 builder.Services.AddAuthorization(options =>
diff --git a/src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationHandler.cs b/src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationHandler.cs
@@ -132,15 +132,28 @@ protected override Task HandleChallengeAsync(AuthenticationProperties properties
         // Initialize properties if null
         properties ??= new AuthenticationProperties();
         
-        // Set the WWW-Authenticate header with the resource_metadata
-        string headerValue = $"Bearer realm=\"{Scheme.Name}\"";
-        headerValue += $", resource_metadata=\"{rawPrmDocumentUri}\"";
-        
-        Response.Headers["WWW-Authenticate"] = headerValue;
-        
         // Store the resource_metadata in properties in case other handlers need it
         properties.Items["resource_metadata"] = rawPrmDocumentUri;
         
+        // Get supported schemes from the options
+        var options = _optionsMonitor.CurrentValue;
+        var supportedSchemes = options.GetSupportedAuthenticationSchemes(Request.HttpContext).ToList();
+
+        // If no schemes are explicitly defined, don't add any WWW-Authenticate headers
+        if (supportedSchemes.Count == 0)
+        {
+            return base.HandleChallengeAsync(properties);
+        }
+        
+        // Add headers for each supported authentication scheme
+        foreach (var scheme in supportedSchemes)
+        {
+            // For all schemes, include the realm and resource metadata
+            // This allows discovery of OAuth capabilities regardless of the authentication scheme
+            string headerValue = $"{scheme} realm=\"{Scheme.Name}\", resource_metadata=\"{rawPrmDocumentUri}\"";
+            Response.Headers.Append("WWW-Authenticate", headerValue);
+        }
+        
         return base.HandleChallengeAsync(properties);
     }
 }
diff --git a/src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationOptions.cs b/src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationOptions.cs
@@ -24,7 +24,8 @@ public class McpAuthenticationOptions : AuthenticationSchemeOptions
     /// The URI to the resource metadata document.
     /// </summary>
     /// <remarks>
-    /// This URI will be included in the WWW-Authenticate header when a 401 response is returned.
+    /// This URI will be included in the WWW-Authenticate header when a 401 response is returned
+    /// and Bearer authentication is supported.
     /// </remarks>
     public Uri ResourceMetadataUri { get; set; } = DefaultResourceMetadataUri;
 
@@ -48,6 +49,26 @@ public class McpAuthenticationOptions : AuthenticationSchemeOptions
     /// </remarks>
     public Func<HttpContext, ProtectedResourceMetadata>? ResourceMetadataProvider { get; set; }
 
+    /// <summary>
+    /// Gets or sets the authentication schemes supported by this server.
+    /// </summary>
+    /// <remarks>
+    /// When set, these schemes will be included in WWW-Authenticate headers during an authentication challenge.
+    /// By default, this is empty and must be populated with the authentication schemes your server supports.
+    /// If Bearer is included, the resource metadata URI will be included in its parameters.
+    /// </remarks>
+    public List<string> SupportedAuthenticationSchemes { get; set; } = new List<string>();
+    
+    /// <summary>
+    /// Gets or sets a delegate that dynamically provides authentication schemes based on the HTTP context.
+    /// </summary>
+    /// <remarks>
+    /// When set, this delegate will be called to determine which authentication schemes to include
+    /// in WWW-Authenticate headers during an authentication challenge. This takes precedence over the static
+    /// <see cref="SupportedAuthenticationSchemes"/> property.
+    /// </remarks>
+    public Func<HttpContext, IEnumerable<string>>? SupportedAuthenticationSchemesProvider { get; set; }
+
     /// <summary>
     /// Gets the resource metadata for the current request.
     /// </summary>
@@ -62,4 +83,19 @@ internal ProtectedResourceMetadata GetResourceMetadata(HttpContext context)
 
         return ResourceMetadata;
     }
+    
+    /// <summary>
+    /// Gets the supported authentication schemes for the current request.
+    /// </summary>
+    /// <param name="context">The HTTP context for the current request.</param>
+    /// <returns>The authentication schemes supported for the current request.</returns>
+    internal IEnumerable<string> GetSupportedAuthenticationSchemes(HttpContext context)
+    {
+        if (SupportedAuthenticationSchemesProvider != null)
+        {
+            return SupportedAuthenticationSchemesProvider(context);
+        }
+
+        return SupportedAuthenticationSchemes;
+    }
 }
