Fix silent token refresh to respect IncludeResourceIndicator and add doc warning

Varun Sharma · Copilot · Varun Sharma · commit b653294e2dce · 2026-02-28T15:48:45.000+05:30
- GetAccessTokenSilentAsync now omits the resource parameter from token
  refresh requests when IncludeResourceIndicator is false, matching the
  behavior of the 401 handler and authorization URL paths.
- Added warning comment in getting-started.md about .GetAwaiter().GetResult()
  deadlock risk in SynchronizationContext environments.
- Added end-to-end tests with mock Entra ID server (ExpectResource=false)
  validating full auth flow and token refresh without resource parameter.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/docs/concepts/getting-started.md b/docs/concepts/getting-started.md
@@ -154,6 +154,9 @@ builder.Services.AddSingleton(sp =>
         Command = "dotnet",
         Arguments = ["run", "--project", "path/to/server"],
     });
+    // Note: .GetAwaiter().GetResult() is used here for simplicity in console apps.
+    // In ASP.NET Core or other environments with a SynchronizationContext,
+    // use an IHostedService to initialize async resources instead.
     return McpClient.CreateAsync(transport, loggerFactory: loggerFactory)
         .GetAwaiter().GetResult();
 });
diff --git a/src/ModelContextProtocol.Core/Authentication/ClientOAuthProvider.cs b/src/ModelContextProtocol.Core/Authentication/ClientOAuthProvider.cs
@@ -156,7 +156,7 @@ internal override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage r
         // Try to refresh the access token if it is invalid and we have a refresh token.
         if (_authServerMetadata is not null && tokens?.RefreshToken is { Length: > 0 } refreshToken)
         {
-            var accessToken = await RefreshTokensAsync(refreshToken, resourceUri.ToString(), _authServerMetadata, cancellationToken).ConfigureAwait(false);
+            var accessToken = await RefreshTokensAsync(refreshToken, _includeResourceIndicator ? resourceUri.ToString() : null, _authServerMetadata, cancellationToken).ConfigureAwait(false);
             return (accessToken, true);
         }
 
diff --git a/tests/ModelContextProtocol.AspNetCore.Tests/OAuth/AuthTests.cs b/tests/ModelContextProtocol.AspNetCore.Tests/OAuth/AuthTests.cs
@@ -1297,4 +1297,111 @@ await Assert.ThrowsAsync<McpException>(() => McpClient.CreateAsync(
         Assert.False(query.ContainsKey("resource"), "The 'resource' query parameter should not be present when IncludeResourceIndicator is false.");
         Assert.True(query.ContainsKey("scope"), "The 'scope' query parameter should still be present.");
     }
+
+    [Fact]
+    public async Task CanAuthenticate_WithoutResourceIndicator_EndToEnd()
+    {
+        // Simulate an Entra ID-like server that rejects the 'resource' parameter.
+        TestOAuthServer.ExpectResource = false;
+
+        // Without resource indicator the token audience falls back to the client ID,
+        // matching real Entra ID behavior. Configure the server to accept it.
+        Builder.Services.Configure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options =>
+        {
+            options.TokenValidationParameters.ValidAudiences = [McpServerUrl, "demo-client"];
+        });
+
+        await using var app = await StartMcpServerAsync();
+
+        await using var transport = new HttpClientTransport(new()
+        {
+            Endpoint = new(McpServerUrl),
+            OAuth = new()
+            {
+                ClientId = "demo-client",
+                ClientSecret = "demo-secret",
+                RedirectUri = new Uri("http://localhost:1179/callback"),
+                IncludeResourceIndicator = false,
+                AuthorizationRedirectDelegate = HandleAuthorizationUrlAsync,
+            },
+        }, HttpClient, LoggerFactory);
+
+        // This would fail with "invalid_target" if the resource parameter leaked through
+        // in either the authorization, token exchange, or silent refresh paths.
+        await using var client = await McpClient.CreateAsync(
+            transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken);
+    }
+
+    [Fact]
+    public async Task CanAuthenticate_WithoutResourceIndicator_TokenRefresh()
+    {
+        // Simulate an Entra ID-like server that rejects the 'resource' parameter.
+        TestOAuthServer.ExpectResource = false;
+
+        var hasForcedRefresh = false;
+
+        Builder.Services.AddMcpServer(options =>
+        {
+            options.ToolCollection = new();
+        });
+
+        // Without resource indicator the token audience falls back to the client ID.
+        Builder.Services.Configure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options =>
+        {
+            options.TokenValidationParameters.ValidAudiences = [McpServerUrl, "demo-client"];
+        });
+
+        await using var app = await StartMcpServerAsync(configureMiddleware: app =>
+        {
+            app.Use(async (context, next) =>
+            {
+                if (context.Request.Method == HttpMethods.Post && context.Request.Path == "/" && !hasForcedRefresh)
+                {
+                    context.Request.EnableBuffering();
+
+                    var message = await JsonSerializer.DeserializeAsync(
+                        context.Request.Body,
+                        McpJsonUtilities.DefaultOptions.GetTypeInfo(typeof(JsonRpcMessage)),
+                        context.RequestAborted) as JsonRpcMessage;
+
+                    context.Request.Body.Position = 0;
+
+                    if (message is JsonRpcRequest request && request.Method == "tools/list")
+                    {
+                        hasForcedRefresh = true;
+
+                        // Return 401 to force token refresh
+                        await context.ChallengeAsync(JwtBearerDefaults.AuthenticationScheme);
+                        await context.Response.StartAsync(context.RequestAborted);
+                        await context.Response.Body.FlushAsync(context.RequestAborted);
+                        return;
+                    }
+                }
+
+                await next(context);
+            });
+        });
+
+        await using var transport = new HttpClientTransport(new()
+        {
+            Endpoint = new(McpServerUrl),
+            OAuth = new()
+            {
+                ClientId = "demo-client",
+                ClientSecret = "demo-secret",
+                RedirectUri = new Uri("http://localhost:1179/callback"),
+                IncludeResourceIndicator = false,
+                AuthorizationRedirectDelegate = HandleAuthorizationUrlAsync,
+            },
+        }, HttpClient, LoggerFactory);
+
+        await using var client = await McpClient.CreateAsync(
+            transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken);
+
+        // This triggers the 401 → token refresh path. If the resource parameter
+        // leaks into the refresh request, the mock Entra ID server returns invalid_target.
+        await client.ListToolsAsync(cancellationToken: TestContext.Current.CancellationToken);
+
+        Assert.True(TestOAuthServer.HasRefreshedToken, "Token refresh should have occurred.");
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -156,7 +156,7 @@ internal override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage r`
`156`	`156`	`// Try to refresh the access token if it is invalid and we have a refresh token.`
`157`	`157`	`if (_authServerMetadata is not null && tokens?.RefreshToken is { Length: > 0 } refreshToken)`
`158`	`158`	`{`
`159`		`- var accessToken = await RefreshTokensAsync(refreshToken, resourceUri.ToString(), _authServerMetadata, cancellationToken).ConfigureAwait(false);`
	`159`	`+ var accessToken = await RefreshTokensAsync(refreshToken, _includeResourceIndicator ? resourceUri.ToString() : null, _authServerMetadata, cancellationToken).ConfigureAwait(false);`
`160`	`160`	`return (accessToken, true);`
`161`	`161`	`}`
`162`	`162`