Add CanAuthenticate_WithTokenRefresh test

Author: halter73

tests/ModelContextProtocol.AspNetCore.Tests/AuthTests.cs

@@ -19,6 +19,7 @@ public class AuthTests : KestrelInMemoryTest, IAsyncDisposable
     private const string OAuthServerUrl = "https://localhost:7029";
 
     private readonly CancellationTokenSource _testCts = new();
+    private readonly TestOAuthServer.Program TestOAuthServer;
     private readonly Task _oAuthRunTask;
 
     public AuthTests(ITestOutputHelper outputHelper)
@@ -30,8 +31,8 @@ public AuthTests(ITestOutputHelper outputHelper)
         // The easiest workaround is to disable cert validation for testing purposes.
         SocketsHttpHandler.SslOptions.RemoteCertificateValidationCallback = (_, _, _, _) => true;
 
-        var oAuthServerProgram = new TestOAuthServer.Program(XunitLoggerProvider, KestrelInMemoryTransport);
-        _oAuthRunTask = oAuthServerProgram.RunServerAsync(cancellationToken: _testCts.Token);
+        TestOAuthServer = new TestOAuthServer.Program(XunitLoggerProvider, KestrelInMemoryTransport);
+        _oAuthRunTask = TestOAuthServer.RunServerAsync(cancellationToken: _testCts.Token);
 
         Builder.Services.AddAuthentication(options =>
         {
@@ -189,6 +190,37 @@ public async Task CanAuthenticate_WithDynamicClientRegistration()
             transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken);
     }
 
+    [Fact]
+    public async Task CanAuthenticate_WithTokenRefresh()
+    {
+        Builder.Services.AddMcpServer().WithHttpTransport();
+
+        await using var app = Builder.Build();
+
+        app.MapMcp().RequireAuthorization();
+
+        await app.StartAsync(TestContext.Current.CancellationToken);
+
+        await using var transport = new SseClientTransport(new()
+        {
+            Endpoint = new(McpServerUrl),
+            OAuth = new()
+            {
+                ClientId = "test-refresh-client",
+                ClientSecret = "test-refresh-secret",
+                RedirectUri = new Uri("http://localhost:1179/callback"),
+                AuthorizationRedirectDelegate = HandleAuthorizationUrlAsync,
+            },
+        }, HttpClient, LoggerFactory);
+
+        // The test-refresh-client should get an expired token first,
+        // then automatically refresh it to get a working token
+        await using var client = await McpClientFactory.CreateAsync(
+            transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken);
+
+        Assert.True(TestOAuthServer.HasIssuedRefreshToken);
+    }
+
     [Fact]
     public void CloneResourceMetadataClonesAllProperties()
     {

tests/ModelContextProtocol.TestOAuthServer/Program.cs

@@ -39,6 +39,10 @@ public Program(ILoggerProvider? loggerProvider = null, IConnectionListenerFactor
         _kestrelTransport = kestrelTransport;
     }
 
+    // Track if we've already issued an already-expired token for the CanAuthenticate_WithTokenRefresh test which uses the test-refresh-client registration.
+    private bool HasIssuedExpiredToken { get; set; }
+    public bool HasIssuedRefreshToken { get; set; }
+
     /// <summary>
     /// Entry point for the application.
     /// </summary>
@@ -104,6 +108,15 @@ public async Task RunServerAsync(string[]? args = null, CancellationToken cancel
             RedirectUris = ["http://localhost:1179/callback"],
         };
 
+        // When this client ID is used, the first token issued will already be expired to make
+        // testing the refresh flow easier.
+        _clients["test-refresh-client"] = new ClientInfo
+        {
+            ClientId = "test-refresh-client",
+            ClientSecret = "test-refresh-secret",
+            RedirectUris = ["http://localhost:1179/callback"],
+        };
+
         // OIDC and OAuth Metadata
         app.MapGet("/.well-known/openid-configuration", () =>
         {
@@ -345,6 +358,7 @@ public async Task RunServerAsync(string[]? args = null, CancellationToken cancel
                     _tokens.TryRemove(refresh_token, out _);
                 }
 
+                HasIssuedRefreshToken = true;
                 return Results.Ok(response);
             }
             else
@@ -508,6 +522,14 @@ private TokenResponse GenerateJwtTokenResponse(string clientId, List<string> sco
     {
         var expiresIn = TimeSpan.FromHours(1);
         var issuedAt = DateTimeOffset.UtcNow;
+
+        // For test-refresh-client, make the first token expired to test refresh functionality.
+        if (clientId == "test-refresh-client" && !HasIssuedExpiredToken)
+        {
+            HasIssuedExpiredToken = true;
+            expiresIn = TimeSpan.FromHours(-1);
+        }
+
         var expiresAt = issuedAt.Add(expiresIn);
         var jwtId = Guid.NewGuid().ToString();