Add RFC 8707 to the client and TestOAuthServer

Author: halter73

src/ModelContextProtocol.Core/Authentication/ClientOAuthProvider.cs

@@ -295,6 +295,7 @@ private Uri BuildAuthorizationUrl(
         queryParams["response_type"] = "code";
         queryParams["code_challenge"] = codeChallenge;
         queryParams["code_challenge_method"] = "S256";
+        queryParams["resource"] = protectedResourceMetadata.Resource.ToString();
 
         var scopesSupported = protectedResourceMetadata.ScopesSupported;
         if (_scopes is not null || scopesSupported.Count > 0)

tests/ModelContextProtocol.AspNetCore.Tests/AuthTests.cs

@@ -16,7 +16,6 @@ public class AuthTests : KestrelInMemoryTest, IAsyncDisposable
 {
     private const string McpServerUrl = "http://localhost:5000";
     private const string OAuthServerUrl = "https://localhost:7029";
-    private const string ClientId = "demo-client";
 
     private readonly CancellationTokenSource _testCts = new();
     private readonly Task _oAuthRunTask;
@@ -45,7 +44,7 @@ public AuthTests(ITestOutputHelper outputHelper)
                 ValidateAudience = true,
                 ValidateLifetime = true,
                 ValidateIssuerSigningKey = true,
-                ValidAudience = ClientId,
+                ValidAudience = McpServerUrl,
                 ValidIssuer = OAuthServerUrl,
                 NameClaimType = "name",
                 RoleClaimType = "roles"

tests/ModelContextProtocol.TestOAuthServer/ClientInfo.cs

@@ -21,4 +21,9 @@ internal sealed class ClientInfo
     /// Gets or sets the list of redirect URIs allowed for this client.
     /// </summary>
     public List<string> RedirectUris { get; init; } = [];
+
+    /// <summary>
+    /// Gets or sets the list of valid resources for this client.
+    /// </summary>
+    public List<string> ValidResources { get; init; } = [];
 }

tests/ModelContextProtocol.TestOAuthServer/Program.cs

@@ -98,7 +98,8 @@ public async Task RunServerAsync(string[]? args = null, CancellationToken cancel
         {
             ClientId = clientId,
             ClientSecret = clientSecret,
-            RedirectUris = ["http://localhost:1179/callback"]
+            RedirectUris = ["http://localhost:1179/callback"],
+            ValidResources = ["http://localhost:5000/"],
         };
 
         // OIDC and OAuth Metadata
@@ -209,6 +210,12 @@ public async Task RunServerAsync(string[]? args = null, CancellationToken cancel
                 return Results.Redirect($"{redirect_uri}?error=invalid_request&error_description=Only+S256+code_challenge_method+is+supported&state={state}");
             }
 
+            // Validate resource in accordance with RFC 8707
+            if (string.IsNullOrEmpty(resource) || !client.ValidResources.Contains(resource))
+            {
+                return Results.Redirect($"{redirect_uri}?error=invalid_target&error_description=The+specified+resource+is+not+valid&state={state}");
+            }
+
             // Generate a new authorization code
             var code = OAuthUtils.GenerateRandomToken();
             var requestedScopes = scope?.Split(' ').ToList() ?? new List<string>();