Update the HttpClient configuration

Author: localden

Directory.Packages.props

@@ -6,26 +6,30 @@
   </PropertyGroup>
   <!-- Product dependencies netstandard -->
   <ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.0'">
-    <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="9.0.0-preview.5.24272.6" />
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="9.0.4" />
     <PackageVersion Include="Microsoft.Bcl.Memory" Version="9.0.4" />
     <PackageVersion Include="Microsoft.Extensions.Hosting.Abstractions" Version="8.0.0" />
+    <PackageVersion Include="Microsoft.Extensions.Http" Version="8.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.3" />
     <PackageVersion Include="System.IO.Pipelines" Version="8.0.0" />
     <PackageVersion Include="System.Text.Json" Version="8.0.5" />
     <PackageVersion Include="System.Threading.Channels" Version="8.0.0" />
   </ItemGroup>
   <!-- Product dependencies LTS -->
   <ItemGroup Condition="'$(TargetFramework)' == 'net8.0'">
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.15" />
     <PackageVersion Include="Microsoft.Extensions.Hosting.Abstractions" Version="8.0.0" />
+    <PackageVersion Include="Microsoft.Extensions.Http" Version="8.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.3" />
     <PackageVersion Include="System.IO.Pipelines" Version="8.0.0" />
   </ItemGroup>
   <!-- Product dependencies .NET 9 -->
   <ItemGroup Condition="'$(TargetFramework)' == 'net9.0'">
-    <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="9.0.0-preview.5.24306.11" />
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="9.0.4" />
     <PackageVersion Include="Microsoft.Extensions.Hosting.Abstractions" Version="9.0.4" />
+    <PackageVersion Include="Microsoft.Extensions.Http" Version="9.0.4" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="9.0.4" />
-    <PackageVersion Include="Microsoft.IdentityModel.Tokens" Version="7.4.1" />
+    <PackageVersion Include="Microsoft.IdentityModel.Tokens" Version="8.9.0" />
     <PackageVersion Include="System.IO.Pipelines" Version="9.0.4" />
   </ItemGroup>
   <!-- Product dependencies shared -->

samples/ProtectedMCPClient/BasicOAuthAuthorizationProvider.cs

@@ -14,24 +14,54 @@ namespace ProtectedMCPClient;
 /// caching or any advanced token protection - it acquires a token and server metadata and holds it
 /// in memory as-is. This is NOT PRODUCTION READY and MUST NOT BE USED IN PRODUCTION.
 /// </summary>
-/// <remarks>
-/// Initializes a new instance of the <see cref="BasicOAuthAuthorizationProvider"/> class.
-/// </remarks>
-public class BasicOAuthAuthorizationProvider(
-    Uri serverUrl,
-    string clientId = "demo-client",
-    string clientSecret = "",
-    Uri? redirectUri = null,
-    IEnumerable<string>? scopes = null) : IMcpAuthorizationProvider
+public class BasicOAuthAuthorizationProvider : ITokenProvider
 {
-    private readonly Uri _serverUrl = serverUrl ?? throw new ArgumentNullException(nameof(serverUrl));
-    private readonly Uri _redirectUri = redirectUri ?? new Uri("http://localhost:8080/callback");
-    private readonly List<string> _scopes = scopes?.ToList() ?? [];
-    private readonly HttpClient _httpClient = new();
+    private readonly Uri _serverUrl;
+    private readonly Uri _redirectUri;
+    private readonly List<string> _scopes;
+    private readonly string _clientId;
+    private readonly string _clientSecret;
+    private readonly HttpClient _httpClient;
+    private readonly AuthorizationHelpers _authorizationHelpers;
+    
+    // Client name for IHttpClientFactory used by the BasicOAuthAuthorizationProvider
+    public const string HttpClientName = "ProtectedMCPClient.OAuth";
 
     private TokenContainer? _token;
     private AuthorizationServerMetadata? _authServerMetadata;
 
+    /// <summary>
+    /// Initializes a new instance of the <see cref="BasicOAuthAuthorizationProvider"/> class.
+    /// </summary>
+    /// <param name="serverUrl">The MCP server URL.</param>
+    /// <param name="httpClientFactory">The HTTP client factory to use for creating HTTP clients.</param>
+    /// <param name="authorizationHelpers">The authorization helpers.</param>
+    /// <param name="clientId">OAuth client ID.</param>
+    /// <param name="clientSecret">OAuth client secret.</param>
+    /// <param name="redirectUri">OAuth redirect URI.</param>
+    /// <param name="scopes">OAuth scopes.</param>
+    public BasicOAuthAuthorizationProvider(
+        Uri serverUrl,
+        IHttpClientFactory httpClientFactory,
+        AuthorizationHelpers authorizationHelpers,
+        string clientId = "demo-client",
+        string clientSecret = "",
+        Uri? redirectUri = null,
+        IEnumerable<string>? scopes = null)
+    {
+        _serverUrl = serverUrl ?? throw new ArgumentNullException(nameof(serverUrl));
+        if (httpClientFactory == null) throw new ArgumentNullException(nameof(httpClientFactory));
+        _authorizationHelpers = authorizationHelpers ?? throw new ArgumentNullException(nameof(authorizationHelpers));
+        
+        // Get the HttpClient once during construction instead of for each request
+        _httpClient = httpClientFactory.CreateClient(HttpClientName);
+        
+        _redirectUri = redirectUri ?? new Uri("http://localhost:8080/callback");
+        _scopes = scopes?.ToList() ?? [];
+        _clientId = clientId;
+        _clientSecret = clientSecret;
+    }
+
     /// <inheritdoc />
     public IEnumerable<string> SupportedSchemes => new[] { "Bearer" };
 
@@ -61,8 +91,8 @@ public class BasicOAuthAuthorizationProvider(
 
         try
         {
-            // Get the metadata from the challenge
-            var resourceMetadata = await AuthorizationHelpers.ExtractProtectedResourceMetadata(
+            // Get the metadata from the challenge using the instance-based AuthorizationHelpers
+            var resourceMetadata = await _authorizationHelpers.ExtractProtectedResourceMetadata(
                 response, _serverUrl, cancellationToken);
 
             if (resourceMetadata?.AuthorizationServers?.Count > 0)
@@ -152,7 +182,7 @@ public class BasicOAuthAuthorizationProvider(
         {
             ["grant_type"] = "refresh_token",
             ["refresh_token"] = refreshToken,
-            ["client_id"] = clientId
+            ["client_id"] = _clientId
         });
 
         try
@@ -162,9 +192,9 @@ public class BasicOAuthAuthorizationProvider(
                 Content = requestContent
             };
 
-            if (!string.IsNullOrEmpty(clientSecret))
+            if (!string.IsNullOrEmpty(_clientSecret))
             {
-                var authValue = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{clientId}:{clientSecret}"));
+                var authValue = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{_clientId}:{_clientSecret}"));
                 request.Headers.Authorization = new AuthenticationHeaderValue("Basic", authValue);
             }
 
@@ -213,7 +243,7 @@ public class BasicOAuthAuthorizationProvider(
     private Uri BuildAuthorizationUrl(AuthorizationServerMetadata authServerMetadata, string codeChallenge)
     {
         var queryParams = HttpUtility.ParseQueryString(string.Empty);
-        queryParams["client_id"] = clientId;
+        queryParams["client_id"] = _clientId;
         queryParams["redirect_uri"] = _redirectUri.ToString();
         queryParams["response_type"] = "code";
         queryParams["code_challenge"] = codeChallenge;
@@ -286,7 +316,7 @@ private Uri BuildAuthorizationUrl(AuthorizationServerMetadata authServerMetadata
             ["grant_type"] = "authorization_code",
             ["code"] = authorizationCode,
             ["redirect_uri"] = _redirectUri.ToString(),
-            ["client_id"] = clientId,
+            ["client_id"] = _clientId,
             ["code_verifier"] = codeVerifier
         });
 
@@ -297,9 +327,9 @@ private Uri BuildAuthorizationUrl(AuthorizationServerMetadata authServerMetadata
                 Content = requestContent
             };
 
-            if (!string.IsNullOrEmpty(clientSecret))
+            if (!string.IsNullOrEmpty(_clientSecret))
             {
-                var authValue = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{clientId}:{clientSecret}"));
+                var authValue = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{_clientId}:{_clientSecret}"));
                 request.Headers.Authorization = new AuthenticationHeaderValue("Basic", authValue);
             }
 

samples/ProtectedMCPClient/Program.cs

@@ -1,3 +1,5 @@
+using Microsoft.Extensions.DependencyInjection;
+using ModelContextProtocol.Authentication;
 using ModelContextProtocol.Client;
 using ModelContextProtocol.Protocol.Transport;
 
@@ -12,8 +14,33 @@ static async Task Main(string[] args)
 
         var serverUrl = "http://localhost:7071/sse";
 
+        var services = new ServiceCollection();
+        services.AddHttpClient();
+        
+        var sharedHandler = new SocketsHttpHandler
+        {
+            PooledConnectionLifetime = TimeSpan.FromMinutes(2),
+            PooledConnectionIdleTimeout = TimeSpan.FromMinutes(1)
+        };
+        
+        services.AddHttpClient(BasicOAuthAuthorizationProvider.HttpClientName)
+            .ConfigurePrimaryHttpMessageHandler(() => sharedHandler);
+            
+        services.AddHttpClient(AuthorizationHelpers.HttpClientName)
+            .ConfigurePrimaryHttpMessageHandler(() => sharedHandler);
+        
+        services.AddTransient<AuthorizationHelpers>();
+        
+        var serviceProvider = services.BuildServiceProvider();
+        
+        var httpClientFactory = serviceProvider.GetRequiredService<IHttpClientFactory>();
+        var authorizationHelpers = serviceProvider.GetRequiredService<AuthorizationHelpers>();
+
+        // Create the token provider with proper dependencies
         var tokenProvider = new BasicOAuthAuthorizationProvider(
-            new Uri(serverUrl), 
+            new Uri(serverUrl),
+            httpClientFactory,
+            authorizationHelpers,
             clientId: "6ad97b5f-7a7b-413f-8603-7a3517d4adb8",
             redirectUri: new Uri("http://localhost:1179/callback"),
             scopes: ["api://167b4284-3f92-4436-92ed-38b38f83ae08/weather.read"]

samples/ProtectedMCPServer/ProtectedMCPServer.csproj

@@ -9,7 +9,6 @@
   <ItemGroup>
     <ProjectReference Include="..\..\src\ModelContextProtocol.AspNetCore\ModelContextProtocol.AspNetCore.csproj" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
-    <PackageReference Include="Microsoft.IdentityModel.Tokens" />
   </ItemGroup>
 
 </Project>

src/ModelContextProtocol/Authentication/AuthorizationDelegatingHandler.cs

@@ -9,15 +9,15 @@ namespace ModelContextProtocol.Authentication;
 /// </summary>
 public class AuthorizationDelegatingHandler : DelegatingHandler
 {
-    private readonly IMcpAuthorizationProvider _authorizationProvider;
+    private readonly ITokenProvider _authorizationProvider;
     private string _currentScheme;
     private static readonly char[] SchemeSplitDelimiters = { ' ', ',' };
 
     /// <summary>
     /// Initializes a new instance of the <see cref="AuthorizationDelegatingHandler"/> class.
     /// </summary>
     /// <param name="authorizationProvider">The provider that supplies authentication tokens.</param>
-    public AuthorizationDelegatingHandler(IMcpAuthorizationProvider authorizationProvider)
+    public AuthorizationDelegatingHandler(ITokenProvider authorizationProvider)
     {
         Throw.IfNull(authorizationProvider);
 

src/ModelContextProtocol/Authentication/AuthorizationHelpers.cs

@@ -1,4 +1,5 @@
 using ModelContextProtocol.Types.Authentication;
+using ModelContextProtocol.Utils;
 using ModelContextProtocol.Utils.Json;
 using System.Text.Json;
 
@@ -7,23 +8,39 @@ namespace ModelContextProtocol.Authentication;
 /// <summary>
 /// Provides utility methods for handling authentication in MCP clients.
 /// </summary>
-public static class AuthorizationHelpers
+public class AuthorizationHelpers
 {
+    private readonly HttpClient _httpClient;
+    
+    /// <summary>
+    /// Client name for IHttpClientFactory used by the AuthorizationHelpers.
+    /// </summary>
+    public const string HttpClientName = "ModelContextProtocol.Authentication";
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="AuthorizationHelpers"/> class.
+    /// </summary>
+    /// <param name="httpClientFactory">The HTTP client factory to use for creating HTTP clients.</param>
+    public AuthorizationHelpers(IHttpClientFactory httpClientFactory)
+    {
+        Throw.IfNull(httpClientFactory);
+        _httpClient = httpClientFactory.CreateClient(HttpClientName);
+    }
+
     /// <summary>
     /// Fetches the protected resource metadata from the provided URL.
     /// </summary>
     /// <param name="metadataUrl">The URL to fetch the metadata from.</param>
     /// <param name="cancellationToken">A token to cancel the operation.</param>
     /// <returns>The fetched ProtectedResourceMetadata, or null if it couldn't be fetched.</returns>
-    private static async Task<ProtectedResourceMetadata?> FetchProtectedResourceMetadataAsync(
+    private async Task<ProtectedResourceMetadata?> FetchProtectedResourceMetadataAsync(
         Uri metadataUrl, 
         CancellationToken cancellationToken = default)
     {
-        using var httpClient = new HttpClient();
         try
         {
             var request = new HttpRequestMessage(HttpMethod.Get, metadataUrl);
-            var response = await httpClient.SendAsync(request, HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+            var response = await _httpClient.SendAsync(request, HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
             response.EnsureSuccessStatusCode();
 
             var content = await response.Content.ReadAsStreamAsync().ConfigureAwait(false);
@@ -69,7 +86,7 @@ private static bool VerifyResourceMatch(ProtectedResourceMetadata protectedResou
     /// <returns>The resource metadata if the resource matches the server, otherwise throws an exception.</returns>
     /// <exception cref="InvalidOperationException">Thrown when the response is not a 401, lacks a WWW-Authenticate header,
     /// lacks a resource_metadata parameter, the metadata can't be fetched, or the resource URI doesn't match the server URL.</exception>
-    public static async Task<ProtectedResourceMetadata> ExtractProtectedResourceMetadata(
+    public async Task<ProtectedResourceMetadata> ExtractProtectedResourceMetadata(
         HttpResponseMessage response,
         Uri serverUrl,
         CancellationToken cancellationToken = default)
@@ -154,7 +171,7 @@ public static async Task<ProtectedResourceMetadata> ExtractProtectedResourceMeta
                 return new KeyValuePair<string, string>(key, value);
             })
             .Where(kvp => !string.IsNullOrEmpty(kvp.Key))
-            .ToDictionary(kvp => kvp.Key, kvp => kvp.Value);
+            .ToDictionary();
 
         if (paramDict.TryGetValue(parameterName, out var value))
         {

src/ModelContextProtocol/Authentication/ITokenProvider.cs

@@ -4,7 +4,7 @@ namespace ModelContextProtocol.Authentication;
 /// Defines an interface for providing authentication for requests.
 /// This is the main extensibility point for authentication in MCP clients.
 /// </summary>
-public interface IMcpAuthorizationProvider
+public interface ITokenProvider
 {
     /// <summary>
     /// Gets the collection of authentication schemes supported by this provider.

src/ModelContextProtocol/ModelContextProtocol.csproj

@@ -36,6 +36,7 @@
     <PackageReference Include="Microsoft.Extensions.AI.Abstractions" />
     <PackageReference Include="Microsoft.Extensions.AI" />
     <PackageReference Include="Microsoft.Extensions.Hosting.Abstractions" />
+    <PackageReference Include="Microsoft.Extensions.Http" />
     <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" />
     <PackageReference Include="System.Net.ServerSentEvents" />
   </ItemGroup>

src/ModelContextProtocol/Protocol/Transport/SseClientTransport.cs

@@ -58,7 +58,7 @@ public SseClientTransport(SseClientTransportOptions transportOptions, HttpClient
     /// <param name="transportOptions">Configuration options for the transport.</param>
     /// <param name="authorizationProvider">The authorization provider to use for authentication.</param>
     /// <param name="loggerFactory">Logger factory for creating loggers used for diagnostic output during transport operations.</param>
-    public SseClientTransport(SseClientTransportOptions transportOptions, IMcpAuthorizationProvider authorizationProvider, ILoggerFactory? loggerFactory = null)
+    public SseClientTransport(SseClientTransportOptions transportOptions, ITokenProvider authorizationProvider, ILoggerFactory? loggerFactory = null)
     {
         Throw.IfNull(transportOptions);
         Throw.IfNull(authorizationProvider);