Use McpAuthenticationEvents to customize ProtectedResourceMetadata per-request

Author: halter73

samples/ProtectedMCPServer/Program.cs

@@ -56,21 +56,13 @@
 })
 .AddMcp(options =>
 {
-    options.ProtectedResourceMetadataProvider = context =>
+    options.ResourceMetadata = new()
     {
-        var metadata = new ProtectedResourceMetadata
-        {
-            Resource = new Uri(serverUrl),
-            BearerMethodsSupported = { "header" },
-            ResourceDocumentation = new Uri("https://docs.example.com/api/weather"),
-            AuthorizationServers = { new Uri(inMemoryOAuthServerUrl) }
-        };
-
-        metadata.ScopesSupported.AddRange([
-            "mcp:tools"
-        ]);
-
-        return metadata;
+        Resource = new Uri(serverUrl),
+        BearerMethodsSupported = { "header" },
+        ResourceDocumentation = new Uri("https://docs.example.com/api/weather"),
+        AuthorizationServers = { new Uri(inMemoryOAuthServerUrl) },
+        ScopesSupported = ["mcp:tools"],
     };
 });
 

src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationEvents.cs

@@ -5,4 +5,13 @@
 /// </summary>
 public class McpAuthenticationEvents
 {
+    /// <summary>
+    /// Gets or sets the function that is invoked when resource metadata is requested.
+    /// </summary>
+    /// <remarks>
+    /// This function is called when a resource metadata request is made to the protected resource metadata endpoint.
+    /// The implementer should set the <see cref="ResourceMetadataRequestContext.ResourceMetadata"/> property
+    /// to provide the appropriate metadata for the current request.
+    /// </remarks>
+    public Func<ResourceMetadataRequestContext, Task> OnResourceMetadataRequest { get; set; } = context => Task.CompletedTask;
 }

src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationHandler.cs

@@ -4,7 +4,6 @@
 using Microsoft.Extensions.Options;
 using ModelContextProtocol.Authentication;
 using System.Text.Encodings.Web;
-using System.Text.Json;
 
 namespace ModelContextProtocol.AspNetCore.Authentication;
 
@@ -34,11 +33,11 @@ public async Task<bool> HandleRequestAsync()
         // Check if the request is for the resource metadata endpoint
         string requestPath = Request.Path.Value ?? string.Empty;
 
-        string expectedMetadataPath = this.Options.ResourceMetadataUri?.ToString() ?? string.Empty;
-        if (this.Options.ResourceMetadataUri != null && !this.Options.ResourceMetadataUri.IsAbsoluteUri)
+        string expectedMetadataPath = Options.ResourceMetadataUri?.ToString() ?? string.Empty;
+        if (Options.ResourceMetadataUri != null && !Options.ResourceMetadataUri.IsAbsoluteUri)
         {
             // For relative URIs, it's just the path component.
-            expectedMetadataPath = this.Options.ResourceMetadataUri.OriginalString;
+            expectedMetadataPath = Options.ResourceMetadataUri.OriginalString;
         }
 
         // If the path doesn't match, let the request continue through the pipeline
@@ -62,8 +61,7 @@ public async Task<bool> HandleRequestAsync()
     /// </summary>
     private string GetAbsoluteResourceMetadataUri()
     {
-        var options = this.Options;
-        var resourceMetadataUri = options.ResourceMetadataUri;
+        var resourceMetadataUri = Options.ResourceMetadataUri;
 
         string currentPath = resourceMetadataUri?.ToString() ?? string.Empty;
 
@@ -88,47 +86,33 @@ private string GetAbsoluteResourceMetadataUri()
     /// Handles the resource metadata request.
     /// </summary>
     /// <param name="cancellationToken">A token to cancel the operation.</param>
-    private Task HandleResourceMetadataRequestAsync(CancellationToken cancellationToken = default)
+    private async Task HandleResourceMetadataRequestAsync(CancellationToken cancellationToken = default)
     {
-        var options = this.Options;
-        var resourceMetadata = options.GetResourceMetadata(Request.HttpContext);
+        var resourceMetadata = Options.ResourceMetadata;
 
-        // Create a copy to avoid modifying the original
-        var metadata = new ProtectedResourceMetadata
+        if (Options.Events.OnResourceMetadataRequest is not null)
         {
-            Resource = resourceMetadata.Resource ?? new Uri(GetBaseUrl()),
-            AuthorizationServers = [.. resourceMetadata.AuthorizationServers],
-            BearerMethodsSupported = [.. resourceMetadata.BearerMethodsSupported],
-            ScopesSupported = [.. resourceMetadata.ScopesSupported],
-            ResourceDocumentation = resourceMetadata.ResourceDocumentation
-        };
-
-        Response.StatusCode = StatusCodes.Status200OK;
-        Response.ContentType = "application/json";
+            var context = new ResourceMetadataRequestContext(Request.HttpContext, Scheme, Options)
+            {
+                ResourceMetadata = CloneResourceMetadata(resourceMetadata),
+            };
 
-        var json = JsonSerializer.Serialize(
-            metadata,
-            McpJsonUtilities.DefaultOptions.GetTypeInfo(typeof(ProtectedResourceMetadata)));
+            await Options.Events.OnResourceMetadataRequest(context);
+        }
 
-        return Response.WriteAsync(json, cancellationToken);
-    }
 
-    /// <inheritdoc />
-    protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
-    {
-        // If ForwardAuthenticate is set, forward the authentication to the specified scheme
-        if (!string.IsNullOrEmpty(Options.ForwardAuthenticate) &&
-            Options.ForwardAuthenticate != Scheme.Name)
+        if (resourceMetadata == null)
         {
-            // Simply forward the authentication request to the specified scheme and return its result
-            // This ensures we don't interfere with the authentication process
-            return await Context.AuthenticateAsync(Options.ForwardAuthenticate);
+            throw new InvalidOperationException("ResourceMetadata has not been configured. Please set McpAuthenticationOptions.ResourceMetadata.");
         }
 
-        // If no forwarding is configured, this handler doesn't perform authentication
-        return AuthenticateResult.NoResult();
+        await Results.Json(resourceMetadata, McpJsonUtilities.DefaultOptions.GetTypeInfo(typeof(ProtectedResourceMetadata))).ExecuteAsync(Context);
     }
 
+    /// <inheritdoc />
+    // If no forwarding is configured, this handler doesn't perform authentication
+    protected override async Task<AuthenticateResult> HandleAuthenticateAsync() => AuthenticateResult.NoResult();
+
     /// <inheritdoc />
     protected override Task HandleChallengeAsync(AuthenticationProperties properties)
     {
@@ -146,4 +130,31 @@ protected override Task HandleChallengeAsync(AuthenticationProperties properties
 
         return base.HandleChallengeAsync(properties);
     }
+
+    internal ProtectedResourceMetadata? CloneResourceMetadata(ProtectedResourceMetadata? resourceMetadata)
+    {
+        if (resourceMetadata is null)
+        {
+            return null;
+        }
+
+        return new ProtectedResourceMetadata
+        {
+            Resource = resourceMetadata.Resource,
+            AuthorizationServers = [.. resourceMetadata.AuthorizationServers],
+            BearerMethodsSupported = [.. resourceMetadata.BearerMethodsSupported],
+            ScopesSupported = [.. resourceMetadata.ScopesSupported],
+            JwksUri = resourceMetadata.JwksUri,
+            ResourceSigningAlgValuesSupported = resourceMetadata.ResourceSigningAlgValuesSupported is not null ? [.. resourceMetadata.ResourceSigningAlgValuesSupported] : null,
+            ResourceName = resourceMetadata.ResourceName,
+            ResourceDocumentation = resourceMetadata.ResourceDocumentation,
+            ResourcePolicyUri = resourceMetadata.ResourcePolicyUri,
+            ResourceTosUri = resourceMetadata.ResourceTosUri,
+            TlsClientCertificateBoundAccessTokens = resourceMetadata.TlsClientCertificateBoundAccessTokens,
+            AuthorizationDetailsTypesSupported = resourceMetadata.AuthorizationDetailsTypesSupported is not null ? [.. resourceMetadata.AuthorizationDetailsTypesSupported] : null,
+            DpopSigningAlgValuesSupported = resourceMetadata.DpopSigningAlgValuesSupported is not null ? [.. resourceMetadata.DpopSigningAlgValuesSupported] : null,
+            DpopBoundAccessTokensRequired = resourceMetadata.DpopBoundAccessTokensRequired
+        };
+    }
+
 }

src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationOptions.cs

@@ -1,5 +1,4 @@
 using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Http;
 using ModelContextProtocol.Authentication;
 
 namespace ModelContextProtocol.AspNetCore.Authentication;
@@ -11,10 +10,6 @@ public class McpAuthenticationOptions : AuthenticationSchemeOptions
 {
     private static readonly Uri DefaultResourceMetadataUri = new("/.well-known/oauth-protected-resource", UriKind.Relative);
 
-    private Func<HttpContext, ProtectedResourceMetadata>? _resourceMetadataProvider;
-
-    private ProtectedResourceMetadata? _resourceMetadata;
-
     /// <summary>
     /// Initializes a new instance of the <see cref="McpAuthenticationOptions"/> class.
     /// </summary>
@@ -44,61 +39,11 @@ public McpAuthenticationOptions()
     public Uri ResourceMetadataUri { get; set; }
 
     /// <summary>
-    /// Gets or sets the static protected resource metadata.
+    /// Gets or sets the protected resource metadata.
     /// </summary>
     /// <remarks>
     /// This contains the OAuth metadata for the protected resource, including authorization servers,
     /// supported scopes, and other information needed for clients to authenticate.
-    /// Setting this property will automatically update the <see cref="ProtectedResourceMetadataProvider"/>
-    /// to return this static instance.
-    /// </remarks>
-    /// <exception cref="ArgumentNullException">Thrown when trying to set a null value.</exception>
-    /// <exception cref="ArgumentException">Thrown when the Resource property of the metadata is null.</exception>
-    public ProtectedResourceMetadata ResourceMetadata
-    {
-        get => _resourceMetadata ?? throw new InvalidOperationException(
-            "ResourceMetadata has not been configured.");
-        set
-        {
-            ArgumentNullException.ThrowIfNull(value);
-            if (value.Resource == null)
-            {
-                throw new ArgumentException("The Resource property of the metadata cannot be null. A valid resource URI is required.", nameof(value));
-            }
-
-            _resourceMetadata = value;
-            // When static metadata is set, update the provider to use it
-            _resourceMetadataProvider = _ => _resourceMetadata;
-        }
-    }
-
-    /// <summary>
-    /// Gets or sets a delegate that dynamically provides resource metadata based on the HTTP context.
-    /// </summary>
-    /// <remarks>
-    /// When set, this delegate will be called to generate resource metadata for each request,
-    /// allowing dynamic customization based on the caller or other contextual information.
-    /// This takes precedence over the static <see cref="ResourceMetadata"/> property.
     /// </remarks>
-    public Func<HttpContext, ProtectedResourceMetadata>? ProtectedResourceMetadataProvider
-    {
-        get => _resourceMetadataProvider;
-        set => _resourceMetadataProvider = value;
-    }
-
-    /// <summary>
-    /// Gets the resource metadata for the current request.
-    /// </summary>
-    /// <param name="context">The HTTP context for the current request.</param>
-    /// <returns>The resource metadata to use for the current request.</returns>
-    /// <exception cref="InvalidOperationException">Thrown when no resource metadata has been configured.</exception>
-    internal ProtectedResourceMetadata GetResourceMetadata(HttpContext context)
-    {
-        var provider = _resourceMetadataProvider;
-
-        return provider != null
-            ? provider(context)
-            : _resourceMetadata ?? throw new InvalidOperationException(
-                "ResourceMetadata has not been configured.");
-    }
+    public ProtectedResourceMetadata? ResourceMetadata { get; set; }
 }

src/ModelContextProtocol.AspNetCore/Authentication/ResourceMetadataRequestContext.cs

@@ -0,0 +1,30 @@
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
+using ModelContextProtocol.Authentication;
+
+namespace ModelContextProtocol.AspNetCore.Authentication;
+
+/// <summary>
+/// Context for resource metadata request events.
+/// </summary>
+public class ResourceMetadataRequestContext : HandleRequestContext<McpAuthenticationOptions>
+{
+    /// <summary>
+    /// Initializes a new instance of the <see cref="ResourceMetadataRequestContext"/> class.
+    /// </summary>
+    /// <param name="context">The HTTP context.</param>
+    /// <param name="scheme">The authentication scheme.</param>
+    /// <param name="options">The authentication options.</param>
+    public ResourceMetadataRequestContext(
+        HttpContext context,
+        AuthenticationScheme scheme,
+        McpAuthenticationOptions options)
+        : base(context, scheme, options)
+    {
+    }
+
+    /// <summary>
+    /// Gets or sets the protected resource metadata for the current request.
+    /// </summary>
+    public ProtectedResourceMetadata? ResourceMetadata { get; set; }
+}

src/ModelContextProtocol.Core/Authentication/ProtectedResourceMetadata.cs

@@ -15,7 +15,7 @@ public sealed class ProtectedResourceMetadata
     /// REQUIRED. The protected resource's resource identifier.
     /// </remarks>
     [JsonPropertyName("resource")]
-    public required Uri Resource { get; init; }
+    public required Uri Resource { get; set; }
 
     /// <summary>
     /// The list of authorization server URIs.

tests/ModelContextProtocol.AspNetCore.Tests/AuthTests.cs

@@ -55,20 +55,12 @@ public AuthTests(ITestOutputHelper outputHelper)
         })
         .AddMcp(options =>
         {
-            options.ProtectedResourceMetadataProvider = context =>
+            options.ResourceMetadata = new ProtectedResourceMetadata
             {
-                var metadata = new ProtectedResourceMetadata
-                {
-                    Resource = new Uri(McpServerUrl),
-                    BearerMethodsSupported = { "header" },
-                    AuthorizationServers = { new Uri(OAuthServerUrl) }
-                };
-
-                metadata.ScopesSupported.AddRange([
-                    "mcp:tools"
-                ]);
-
-                return metadata;
+                Resource = new Uri(McpServerUrl),
+                AuthorizationServers = { new Uri(OAuthServerUrl) },
+                BearerMethodsSupported = { "header" },
+                ScopesSupported = ["mcp:tools"]
             };
         });