Add legacy authorization URL fallback

FICTURE7 · FICTURE7 · commit c4ba02e258e0 · 2026-02-11T22:28:40.000+04:00
This patch adds support for legacy behavior defined in MCP 2025-03-26,
where by if the MCP server does not provide a PRM, the MCP client uses
the MCP server's base URL as the authorization server.

Since a PRM is not specified, a `resource` indicator is also not specified,
this means the code has to updated to handle this optionality.
diff --git a/src/ModelContextProtocol.Core/Authentication/ClientOAuthProvider.cs b/src/ModelContextProtocol.Core/Authentication/ClientOAuthProvider.cs
@@ -236,34 +236,48 @@ private async Task<string> GetAccessTokenAsync(HttpResponseMessage response, boo
     {
         // Get available authorization servers from the 401 or 403 response
         var protectedResourceMetadata = await ExtractProtectedResourceMetadata(response, cancellationToken).ConfigureAwait(false);
-        var availableAuthorizationServers = protectedResourceMetadata.AuthorizationServers;
+        var selectedAuthServer = default(Uri);
 
-        if (availableAuthorizationServers.Count == 0)
+        // If the MCP server does not provide protected resource metadata, fallback to using the MCP server URL as the
+        // authorization server.
+        //
+        // This is to maintain compatibility with MCP version 2025-03-26.
+        if (protectedResourceMetadata is null)
         {
-            ThrowFailedToHandleUnauthorizedResponse("No authorization servers found in authentication challenge");
+            selectedAuthServer = new Uri(_serverUrl, "/");
+
+            LogSelectedFallbackAuthorizationServer(selectedAuthServer);
         }
+        else
+        {
+            var availableAuthorizationServers = protectedResourceMetadata.AuthorizationServers;
 
-        // Select authorization server using configured strategy
-        var selectedAuthServer = _authServerSelector(availableAuthorizationServers);
+            if (availableAuthorizationServers.Count == 0)
+            {
+                ThrowFailedToHandleUnauthorizedResponse("No authorization servers found in authentication challenge");
+            }
 
-        if (selectedAuthServer is null)
-        {
-            ThrowFailedToHandleUnauthorizedResponse($"Authorization server selection returned null. Available servers: {string.Join(", ", availableAuthorizationServers)}");
-        }
+            // Select authorization server using configured strategy
+            selectedAuthServer = _authServerSelector(availableAuthorizationServers);
 
-        if (!availableAuthorizationServers.Contains(selectedAuthServer))
-        {
-            ThrowFailedToHandleUnauthorizedResponse($"Authorization server selector returned a server not in the available list: {selectedAuthServer}. Available servers: {string.Join(", ", availableAuthorizationServers)}");
-        }
+            if (selectedAuthServer is null)
+            {
+                ThrowFailedToHandleUnauthorizedResponse($"Authorization server selection returned null. Available servers: {string.Join(", ", availableAuthorizationServers)}");
+            }
 
-        LogSelectedAuthorizationServer(selectedAuthServer, availableAuthorizationServers.Count);
+            if (!availableAuthorizationServers.Contains(selectedAuthServer))
+            {
+                ThrowFailedToHandleUnauthorizedResponse($"Authorization server selector returned a server not in the available list: {selectedAuthServer}. Available servers: {string.Join(", ", availableAuthorizationServers)}");
+            }
+
+            LogSelectedAuthorizationServer(selectedAuthServer, availableAuthorizationServers.Count);
+        }
 
         // Get auth server metadata
         var authServerMetadata = await GetAuthServerMetadataAsync(selectedAuthServer, cancellationToken).ConfigureAwait(false);
+        var resourceUri = protectedResourceMetadata?.Resource;
 
         // The existing access token must be invalid to have resulted in a 401 response, but refresh might still work.
-        var resourceUri = GetRequiredResourceUri(protectedResourceMetadata);
-
         // Only attempt a token refresh if we haven't attempted to already for this request.
         // Also only attempt a token refresh for a 401 Unauthorized responses. Other response status codes
         // should not be used for expired access tokens. This is important because 403 forbiden responses can
@@ -387,15 +401,19 @@ private static IEnumerable<Uri> GetWellKnownAuthorizationServerMetadataUris(Uri
         }
     }
 
-    private async Task<string?> RefreshTokensAsync(string refreshToken, Uri resourceUri, AuthorizationServerMetadata authServerMetadata, CancellationToken cancellationToken)
+    private async Task<string?> RefreshTokensAsync(string refreshToken, Uri? resourceUri, AuthorizationServerMetadata authServerMetadata, CancellationToken cancellationToken)
     {
         Dictionary<string, string> formFields = new()
         {
             ["grant_type"] = "refresh_token",
             ["refresh_token"] = refreshToken,
-            ["resource"] = resourceUri.ToString(),
         };
 
+        if (resourceUri is not null)
+        {
+            formFields.Add("resource", resourceUri.ToString());
+        }
+
         using var request = CreateTokenRequest(authServerMetadata.TokenEndpoint, formFields);
 
         using var httpResponse = await _httpClient.SendAsync(request, cancellationToken).ConfigureAwait(false);
@@ -411,7 +429,7 @@ private static IEnumerable<Uri> GetWellKnownAuthorizationServerMetadataUris(Uri
     }
 
     private async Task<string> InitiateAuthorizationCodeFlowAsync(
-        ProtectedResourceMetadata protectedResourceMetadata,
+        ProtectedResourceMetadata? protectedResourceMetadata,
         AuthorizationServerMetadata authServerMetadata,
         CancellationToken cancellationToken)
     {
@@ -430,22 +448,24 @@ private async Task<string> InitiateAuthorizationCodeFlowAsync(
     }
 
     private Uri BuildAuthorizationUrl(
-        ProtectedResourceMetadata protectedResourceMetadata,
+        ProtectedResourceMetadata? protectedResourceMetadata,
         AuthorizationServerMetadata authServerMetadata,
         string codeChallenge)
     {
-        var resourceUri = GetRequiredResourceUri(protectedResourceMetadata);
-
         var queryParamsDictionary = new Dictionary<string, string>
         {
             ["client_id"] = GetClientIdOrThrow(),
             ["redirect_uri"] = _redirectUri.ToString(),
             ["response_type"] = "code",
             ["code_challenge"] = codeChallenge,
             ["code_challenge_method"] = "S256",
-            ["resource"] = resourceUri.ToString(),
         };
 
+        if (protectedResourceMetadata?.Resource is { } resourceUri)
+        {
+            queryParamsDictionary.Add("resource", resourceUri.ToString());
+        }
+
         var scope = GetScopeParameter(protectedResourceMetadata);
         if (!string.IsNullOrEmpty(scope))
         {
@@ -473,23 +493,25 @@ private Uri BuildAuthorizationUrl(
     }
 
     private async Task<string> ExchangeCodeForTokenAsync(
-        ProtectedResourceMetadata protectedResourceMetadata,
+        ProtectedResourceMetadata? protectedResourceMetadata,
         AuthorizationServerMetadata authServerMetadata,
         string authorizationCode,
         string codeVerifier,
         CancellationToken cancellationToken)
     {
-        var resourceUri = GetRequiredResourceUri(protectedResourceMetadata);
-
         Dictionary<string, string> formFields = new()
         {
             ["grant_type"] = "authorization_code",
             ["code"] = authorizationCode,
             ["redirect_uri"] = _redirectUri.ToString(),
             ["code_verifier"] = codeVerifier,
-            ["resource"] = resourceUri.ToString(),
         };
 
+        if (protectedResourceMetadata?.Resource is { } resourceUri)
+        {
+            formFields.Add("resource", resourceUri.ToString());
+        }
+
         using var request = CreateTokenRequest(authServerMetadata.TokenEndpoint, formFields);
 
         using var httpResponse = await _httpClient.SendAsync(request, cancellationToken).ConfigureAwait(false);
@@ -585,7 +607,7 @@ private async Task<TokenContainer> HandleSuccessfulTokenResponseAsync(HttpRespon
     /// Performs dynamic client registration with the authorization server.
     /// </summary>
     private async Task PerformDynamicClientRegistrationAsync(
-        ProtectedResourceMetadata protectedResourceMetadata,
+        ProtectedResourceMetadata? protectedResourceMetadata,
         AuthorizationServerMetadata authServerMetadata,
         CancellationToken cancellationToken)
     {
@@ -659,19 +681,13 @@ private async Task PerformDynamicClientRegistrationAsync(
         }
     }
 
-    private static Uri GetRequiredResourceUri(ProtectedResourceMetadata protectedResourceMetadata)
+    private string? GetScopeParameter(ProtectedResourceMetadata? protectedResourceMetadata)
     {
-        if (protectedResourceMetadata.Resource is null)
+        if (protectedResourceMetadata is null)
         {
-            ThrowFailedToHandleUnauthorizedResponse("Protected resource metadata did not include a 'resource' value.");
+            return null;
         }
-
-        return protectedResourceMetadata.Resource;
-    }
-
-    private string? GetScopeParameter(ProtectedResourceMetadata protectedResourceMetadata)
-    {
-        if (!string.IsNullOrEmpty(protectedResourceMetadata.WwwAuthenticateScope))
+        else if (!string.IsNullOrEmpty(protectedResourceMetadata.WwwAuthenticateScope))
         {
             return protectedResourceMetadata.WwwAuthenticateScope;
         }
@@ -740,7 +756,7 @@ private static string NormalizeUri(Uri uri)
     /// <param name="cancellationToken">The <see cref="CancellationToken"/> to monitor for cancellation requests.</param>
     /// <returns>The resource metadata if the resource matches the server, otherwise throws an exception.</returns>
     /// <exception cref="InvalidOperationException">Thrown when the response is not a 401, the metadata can't be fetched, or the resource URI doesn't match the server URL.</exception>
-    private async Task<ProtectedResourceMetadata> ExtractProtectedResourceMetadata(HttpResponseMessage response, CancellationToken cancellationToken)
+    private async Task<ProtectedResourceMetadata?> ExtractProtectedResourceMetadata(HttpResponseMessage response, CancellationToken cancellationToken)
     {
         Uri resourceUri = _serverUrl;
         string? wwwAuthenticateScope = null;
@@ -786,23 +802,21 @@ private async Task<ProtectedResourceMetadata> ExtractProtectedResourceMetadata(H
                     break;
                 }
             }
-
-            if (metadata is null)
-            {
-                throw new McpException($"Failed to find protected resource metadata at a well-known location for {_serverUrl}");
-            }
         }
 
-        // The WWW-Authenticate header parameter should be preferred over using the scopes_supported metadata property.
-        // https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#protected-resource-metadata-discovery-requirements
-        metadata.WwwAuthenticateScope = wwwAuthenticateScope;
+        if (metadata is not null)
+        {
+            // The WWW-Authenticate header parameter should be preferred over using the scopes_supported metadata property.
+            // https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#protected-resource-metadata-discovery-requirements
+            metadata.WwwAuthenticateScope = wwwAuthenticateScope;
 
-        // Per RFC: The resource value must be identical to the URL that the client used to make the request to the resource server
-        LogValidatingResourceMetadata(resourceUri);
+            // Per RFC: The resource value must be identical to the URL that the client used to make the request to the resource server
+            LogValidatingResourceMetadata(resourceUri);
 
-        if (!VerifyResourceMatch(metadata, resourceUri))
-        {
-            throw new McpException($"Resource URI in metadata ({metadata.Resource}) does not match the expected URI ({resourceUri})");
+            if (!VerifyResourceMatch(metadata, resourceUri))
+            {
+                throw new McpException($"Resource URI in metadata ({metadata.Resource}) does not match the expected URI ({resourceUri})");
+            }
         }
 
         return metadata;
@@ -908,6 +922,9 @@ private static void ThrowFailedToHandleUnauthorizedResponse(string message) =>
     [LoggerMessage(Level = LogLevel.Information, Message = "Selected authorization server: {Server} from {Count} available servers")]
     partial void LogSelectedAuthorizationServer(Uri server, int count);
 
+    [LoggerMessage(Level = LogLevel.Information, Message = "Selected fallback authorization server: {Server}")]
+    partial void LogSelectedFallbackAuthorizationServer(Uri server);
+
     [LoggerMessage(Level = LogLevel.Information, Message = "OAuth authorization completed successfully")]
     partial void LogOAuthAuthorizationCompleted();
 
