Fall back to well-known URL in client if 401 response is missing resource_metadata parameter

- Automatically infer resource URI by default in McpAuthenticationHandler
- Fix matching absolute resource URI in McpAuthenticationHandler if specified
- Add MockLoggerProvider to LoggedTest.cs

Author: halter73

samples/ProtectedMcpServer/Program.cs

@@ -56,7 +56,6 @@
 {
     options.ResourceMetadata = new()
     {
-        Resource = new Uri(serverUrl),
         ResourceDocumentation = new Uri("https://docs.example.com/api/weather"),
         AuthorizationServers = { new Uri(inMemoryOAuthServerUrl) },
         ScopesSupported = ["mcp:tools"],

src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationHandler.cs

@@ -13,6 +13,9 @@ namespace ModelContextProtocol.AspNetCore.Authentication;
 /// </summary>
 public class McpAuthenticationHandler : AuthenticationHandler<McpAuthenticationOptions>, IAuthenticationRequestHandler
 {
+    private const string DefaultResourceMetadataPath = "/.well-known/oauth-protected-resource";
+    private static readonly PathString DefaultResourceMetadataPrefix = new(DefaultResourceMetadataPath);
+
     /// <summary>
     /// Initializes a new instance of the <see cref="McpAuthenticationHandler"/> class.
     /// </summary>
@@ -27,65 +30,119 @@ public McpAuthenticationHandler(
     /// <inheritdoc />
     public async Task<bool> HandleRequestAsync()
     {
-        // Check if the request is for the resource metadata endpoint
-        string requestPath = Request.Path.Value ?? string.Empty;
-
-        string expectedMetadataPath = Options.ResourceMetadataUri?.ToString() ?? string.Empty;
-        if (Options.ResourceMetadataUri != null && !Options.ResourceMetadataUri.IsAbsoluteUri)
+        if (Options.ResourceMetadataUri is Uri configuredUri)
         {
-            // For relative URIs, it's just the path component.
-            expectedMetadataPath = Options.ResourceMetadataUri.OriginalString;
+            return await HandleConfiguredResourceMetadataRequestAsync(configuredUri);
         }
 
-        // If the path doesn't match, let the request continue through the pipeline
-        if (!string.Equals(requestPath, expectedMetadataPath, StringComparison.OrdinalIgnoreCase))
+        return await HandleDefaultResourceMetadataRequestAsync();
+    }
+
+    private async Task<bool> HandleConfiguredResourceMetadataRequestAsync(Uri resourceMetadataUri)
+    {
+        if (!IsConfiguredEndpointRequest(resourceMetadataUri))
         {
             return false;
         }
 
         return await HandleResourceMetadataRequestAsync();
     }
 
-    /// <summary>
-    /// Gets the base URL from the current request, including scheme, host, and path base.
-    /// </summary>
-    private string GetBaseUrl() => $"{Request.Scheme}://{Request.Host}{Request.PathBase}";
+    private async Task<bool> HandleDefaultResourceMetadataRequestAsync()
+    {
+        if (!Request.Path.StartsWithSegments(DefaultResourceMetadataPrefix, out var resourceSuffix))
+        {
+            return false;
+        }
+
+        var deriveResourceUriBuilder = new UriBuilder(Request.Scheme, Request.Host.Host)
+        {
+            Path = $"{Request.PathBase}{resourceSuffix}",
+            Port = Request.Host.Port ?? (Request.Scheme == "https" ? 443 : 80),
+        };
+
+        return await HandleResourceMetadataRequestAsync(deriveResourceUriBuilder.Uri);
+    }
 
     /// <summary>
     /// Gets the absolute URI for the resource metadata endpoint.
     /// </summary>
     private string GetAbsoluteResourceMetadataUri()
     {
-        var resourceMetadataUri = Options.ResourceMetadataUri;
+        if (Options.ResourceMetadataUri is Uri resourceMetadataUri)
+        {
+            if (resourceMetadataUri.IsAbsoluteUri)
+            {
+                return resourceMetadataUri.ToString();
+            }
+
+            var seperator = resourceMetadataUri.OriginalString.StartsWith("/") ? "" : "/";
+            return $"{Request.Scheme}://{Request.Host.ToUriComponent()}{Request.PathBase}{seperator}{resourceMetadataUri.OriginalString}";
+        }
+
+        return $"{Request.Scheme}://{Request.Host.ToUriComponent()}{Request.PathBase}{DefaultResourceMetadataPath}{Request.Path}";
+    }
+
+    private bool IsConfiguredEndpointRequest(Uri resourceMetadataUri)
+    {
+        var expectedPath = GetConfiguredResourceMetadataPath(resourceMetadataUri);
 
-        string currentPath = resourceMetadataUri?.ToString() ?? string.Empty;
+        if (!string.Equals(Request.Path.Value, expectedPath, StringComparison.OrdinalIgnoreCase))
+        {
+            return false;
+        }
 
-        if (resourceMetadataUri != null && resourceMetadataUri.IsAbsoluteUri)
+        if (!resourceMetadataUri.IsAbsoluteUri)
         {
-            return currentPath;
+            return true;
         }
 
-        // For relative URIs, combine with the base URL
-        string baseUrl = GetBaseUrl();
-        string relativePath = resourceMetadataUri?.OriginalString.TrimStart('/') ?? string.Empty;
+        if (!Request.Host.HasValue)
+        {
+            return false;
+        }
 
-        if (!Uri.TryCreate($"{baseUrl.TrimEnd('/')}/{relativePath}", UriKind.Absolute, out var absoluteUri))
+        if (!string.Equals(Request.Host.Host, resourceMetadataUri.Host, StringComparison.OrdinalIgnoreCase))
         {
-            throw new InvalidOperationException($"Could not create absolute URI for resource metadata. Base URL: {baseUrl}, Relative Path: {relativePath}");
+            Logger.LogWarning(
+                "Resource metadata request host '{RequestHost}' did not match configured host '{ConfiguredHost}'.",
+                Request.Host.Value,
+                resourceMetadataUri.Host);
+            return false;
         }
 
-        return absoluteUri.ToString();
+        if (!string.Equals(Request.Scheme, resourceMetadataUri.Scheme, StringComparison.OrdinalIgnoreCase))
+        {
+            Logger.LogWarning(
+                "Resource metadata request scheme '{RequestScheme}' did not match configured scheme '{ConfiguredScheme}'.",
+                Request.Scheme,
+                resourceMetadataUri.Scheme);
+            return false;
+        }
+
+        return true;
     }
 
-    private async Task<bool> HandleResourceMetadataRequestAsync()
+    private static string GetConfiguredResourceMetadataPath(Uri resourceMetadataUri)
     {
-        var resourceMetadata = Options.ResourceMetadata;
+        if (resourceMetadataUri.IsAbsoluteUri)
+        {
+            return resourceMetadataUri.AbsolutePath;
+        }
+
+        var path = resourceMetadataUri.OriginalString;
+        return path.StartsWith("/") ? path : $"/{path}";
+    }
+
+    private async Task<bool> HandleResourceMetadataRequestAsync(Uri? derivedResourceUri = null)
+    {
+        var resourceMetadata = CloneResourceMetadata(Options.ResourceMetadata, derivedResourceUri);
 
         if (Options.Events.OnResourceMetadataRequest is not null)
         {
             var context = new ResourceMetadataRequestContext(Request.HttpContext, Scheme, Options)
             {
-                ResourceMetadata = CloneResourceMetadata(resourceMetadata),
+                ResourceMetadata = resourceMetadata,
             };
 
             await Options.Events.OnResourceMetadataRequest(context);
@@ -109,13 +166,13 @@ private async Task<bool> HandleResourceMetadataRequestAsync()
             resourceMetadata = context.ResourceMetadata;
         }
 
-        if (resourceMetadata == null)
+        if (resourceMetadata is null)
         {
-            throw new InvalidOperationException(
-                "ResourceMetadata has not been configured. Please set McpAuthenticationOptions.ResourceMetadata or ensure context.ResourceMetadata is set inside McpAuthenticationOptions.Events.OnResourceMetadataRequest."
-            );
+            throw new InvalidOperationException("ResourceMetadata has not been configured. Please set McpAuthenticationOptions.ResourceMetadata or ensure context.ResourceMetadata is set inside McpAuthenticationOptions.Events.OnResourceMetadataRequest.");
         }
 
+        resourceMetadata.Resource ??= derivedResourceUri;
+
         await Results.Json(resourceMetadata, McpJsonUtilities.DefaultOptions.GetTypeInfo(typeof(ProtectedResourceMetadata))).ExecuteAsync(Context);
         return true;
     }
@@ -142,7 +199,7 @@ protected override Task HandleChallengeAsync(AuthenticationProperties properties
         return base.HandleChallengeAsync(properties);
     }
 
-    internal static ProtectedResourceMetadata? CloneResourceMetadata(ProtectedResourceMetadata? resourceMetadata)
+    internal static ProtectedResourceMetadata? CloneResourceMetadata(ProtectedResourceMetadata? resourceMetadata, Uri? derivedResourceUri = null)
     {
         if (resourceMetadata is null)
         {
@@ -151,7 +208,7 @@ protected override Task HandleChallengeAsync(AuthenticationProperties properties
 
         return new ProtectedResourceMetadata
         {
-            Resource = resourceMetadata.Resource,
+            Resource = resourceMetadata.Resource ?? derivedResourceUri,
             AuthorizationServers = [.. resourceMetadata.AuthorizationServers],
             BearerMethodsSupported = [.. resourceMetadata.BearerMethodsSupported],
             ScopesSupported = [.. resourceMetadata.ScopesSupported],
@@ -167,5 +224,4 @@ protected override Task HandleChallengeAsync(AuthenticationProperties properties
             DpopBoundAccessTokensRequired = resourceMetadata.DpopBoundAccessTokensRequired
         };
     }
-
 }

src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationOptions.cs

@@ -8,16 +8,13 @@ namespace ModelContextProtocol.AspNetCore.Authentication;
 /// </summary>
 public class McpAuthenticationOptions : AuthenticationSchemeOptions
 {
-    private static readonly Uri DefaultResourceMetadataUri = new("/.well-known/oauth-protected-resource", UriKind.Relative);
-
     /// <summary>
     /// Initializes a new instance of the <see cref="McpAuthenticationOptions"/> class.
     /// </summary>
     public McpAuthenticationOptions()
     {
         // "Bearer" is JwtBearerDefaults.AuthenticationScheme, but we don't have a reference to the JwtBearer package here.
         ForwardAuthenticate = "Bearer";
-        ResourceMetadataUri = DefaultResourceMetadataUri;
         Events = new McpAuthenticationEvents();
     }
 
@@ -35,8 +32,10 @@ public McpAuthenticationOptions()
     /// </summary>
     /// <remarks>
     /// This URI is included in the WWW-Authenticate header when a 401 response is returned.
+    /// When <see langword="null"/>, the handler automatically uses the default
+    /// <c>/.well-known/oauth-protected-resource/&lt;resource-path&gt;</c> endpoint that mirrors the requested resource path.
     /// </remarks>
-    public Uri ResourceMetadataUri { get; set; }
+    public Uri? ResourceMetadataUri { get; set; }
 
     /// <summary>
     /// Gets or sets the protected resource metadata.