Tweaks to handles

Author: localden

samples/SecureWeatherClient/Program.cs

@@ -14,24 +14,49 @@ static async Task Main(string[] args)
         Console.WriteLine("==================================================");
         Console.WriteLine();
 
-        // Create the authorization config with HTTP listener
-        var authConfig = new AuthorizationConfig
-        {
-            ClientId = "04f79824-ab56-4511-a7cb-d7deaea92dc0",
-            Scopes = ["User.Read"]
-        }.UseHttpListener(hostname: "localhost", listenPort: 1170);
+        Console.WriteLine("Select authentication mode:");
+        Console.WriteLine("1. Normal OAuth flow with browser");
+        Console.WriteLine("2. Mock authentication (accepts any token for testing)");
+        Console.Write("Enter your choice (1-2): ");
+        var choice = Console.ReadLine()?.Trim();
 
         // Create an HTTP client with OAuth handling
-        var oauthHandler = new OAuthDelegatingHandler(
-            redirectUri: authConfig.RedirectUri,
-            clientId: authConfig.ClientId,
-            clientName: authConfig.ClientName,
-            scopes: authConfig.Scopes,
-            authorizationHandler: authConfig.AuthorizationHandler)
+        DelegatingHandler oauthHandler;
+        
+        if (choice == "2")
+        {
+            Console.WriteLine("\nUsing mock authentication for testing (no browser will open).\n");
+            
+            // Create a mock OAuth handler that always returns a token
+            oauthHandler = new MockOAuthHandler()
+            {
+                InnerHandler = new HttpClientHandler()
+            };
+        }
+        else
         {
-            // The OAuth handler needs an inner handler
-            InnerHandler = new HttpClientHandler()
-        };
+            Console.WriteLine("\nUsing standard OAuth flow with browser authentication.\n");
+            
+            // Create the authorization config with HTTP listener
+            var authConfig = new AuthorizationConfig
+            {
+                ClientId = "04f79824-ab56-4511-a7cb-d7deaea92dc0",
+                ClientName = "SecureWeatherClient",
+                Scopes = ["weather.read"]
+            }.UseHttpListener(hostname: "localhost", listenPort: 1170);
+
+            // Create an HTTP client with OAuth handling
+            oauthHandler = new OAuthDelegatingHandler(
+                redirectUri: authConfig.RedirectUri,
+                clientId: authConfig.ClientId,
+                clientName: authConfig.ClientName,
+                scopes: authConfig.Scopes,
+                authorizationHandler: authConfig.AuthorizationHandler)
+            {
+                // The OAuth handler needs an inner handler
+                InnerHandler = new HttpClientHandler()
+            };
+        }
 
         var httpClient = new HttpClient(oauthHandler);
         var serverUrl = "http://localhost:7071/sse"; // Default server URL
@@ -46,8 +71,13 @@ static async Task Main(string[] args)
 
         Console.WriteLine();
         Console.WriteLine($"Connecting to weather server at {serverUrl}...");
-        Console.WriteLine("When prompted for authorization, a browser window will open automatically.");
-        Console.WriteLine("Complete the authentication in the browser, and this application will continue automatically.");
+        
+        if (choice != "2")
+        {
+            Console.WriteLine("When prompted for authorization, a browser window will open automatically.");
+            Console.WriteLine("Complete the authentication in the browser, and this application will continue automatically.");
+        }
+        
         Console.WriteLine();
 
         try
@@ -97,4 +127,21 @@ static async Task Main(string[] args)
         Console.WriteLine("Press any key to exit...");
         Console.ReadKey();
     }
+}
+
+/// <summary>
+/// A mock OAuth handler that always returns a predefined token without going through the OAuth flow.
+/// This is useful for testing without requiring a real OAuth server.
+/// </summary>
+public class MockOAuthHandler : DelegatingHandler
+{
+    private readonly string _mockToken = "mock_test_token_" + Guid.NewGuid().ToString("N");
+
+    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
+    {
+        // Always attach the mock token to outgoing requests
+        request.Headers.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", _mockToken);
+        
+        return base.SendAsync(request, cancellationToken);
+    }
 }

src/ModelContextProtocol/Auth/McpClientExtensions.cs

@@ -96,52 +96,26 @@ public static async Task<OAuthToken> HandleUnauthorizedResponseAsync(
             throw new InvalidOperationException("The HTTP client has not been configured for authorization handling. Call ConfigureAuthorizationHandler() first.");
         }
 
-        // Create OAuthAuthenticationService
-        var authService = new OAuthAuthenticationService();
+        // Create OAuthAuthenticationService - use appropriate constructor based on whether we have a handler
+        OAuthAuthenticationService authService = config.AuthorizationHandler != null
+            ? new OAuthAuthenticationService(config.AuthorizationHandler)
+            : new OAuthAuthenticationService();
 
         // Get resource URI
         var resourceUri = response.RequestMessage?.RequestUri ?? throw new InvalidOperationException("Request URI is not available.");
 
         // Start the authentication flow
-        try
-        {
-            var tokenResponse = await authService.HandleAuthenticationAsync(
-                resourceUri,
-                wwwAuthenticateHeader,
-                config.RedirectUri,
-                config.ClientId,
-                config.ClientName,
-                config.Scopes);
-            
-            // Attach the access token to future requests
-            httpClient.AttachToken(tokenResponse.AccessToken);
-            
-            return tokenResponse;
-        }
-        catch (NotImplementedException ex) when (ex.Message.Contains("Authorization requires user interaction"))
-        {
-            // Extract the authorization URL from the exception message
-            var authUrlStart = ex.Message.IndexOf("http");
-            var authUrlEnd = ex.Message.IndexOf("\n", authUrlStart);
-            var authUrl = ex.Message.Substring(authUrlStart, authUrlEnd - authUrlStart);
-            
-            // Check if a handler is registered
-            if (config.AuthorizationHandler != null)
-            {
-                // Call the handler to get the authorization code
-                var authCode = await config.AuthorizationHandler(new Uri(authUrl));
-                
-                // In a real implementation, we would use the authorization code to get a token
-                // For now, throw an exception with instructions
-                throw new NotImplementedException(
-                    "Authorization code acquired, but token exchange is not implemented. " +
-                    "In a real implementation, this would call ExchangeAuthorizationCodeForTokenAsync.");
-            }
-            else
-            {
-                // Re-throw the original exception
-                throw;
-            }
-        }
+        var tokenResponse = await authService.HandleAuthenticationAsync(
+            resourceUri,
+            wwwAuthenticateHeader,
+            config.RedirectUri,
+            config.ClientId,
+            config.ClientName,
+            config.Scopes);
+        
+        // Attach the access token to future requests
+        httpClient.AttachToken(tokenResponse.AccessToken);
+        
+        return tokenResponse;
     }
 }

src/ModelContextProtocol/Auth/OAuthAuthenticationService.cs

@@ -13,6 +13,23 @@ namespace ModelContextProtocol.Auth;
 public class OAuthAuthenticationService
 {
     private static readonly HttpClient _httpClient = new();
+    private readonly Func<Uri, Task<string>>? _authorizationHandler;
+    
+    /// <summary>
+    /// Initializes a new instance of the <see cref="OAuthAuthenticationService"/> class.
+    /// </summary>
+    public OAuthAuthenticationService()
+    {
+    }
+    
+    /// <summary>
+    /// Initializes a new instance of the <see cref="OAuthAuthenticationService"/> class with an authorization handler.
+    /// </summary>
+    /// <param name="authorizationHandler">A handler to invoke when authorization is required.</param>
+    public OAuthAuthenticationService(Func<Uri, Task<string>> authorizationHandler)
+    {
+        _authorizationHandler = authorizationHandler ?? throw new ArgumentNullException(nameof(authorizationHandler));
+    }
 
     /// <summary>
     /// Handles the OAuth authentication flow when a 401 Unauthorized response is received.
@@ -23,15 +40,20 @@ public class OAuthAuthenticationService
     /// <param name="clientId">The client ID to use for authentication, or null to register a new client.</param>
     /// <param name="clientName">The client name to use for registration.</param>
     /// <param name="scopes">The requested scopes.</param>
+    /// <param name="authorizationHandler">A handler to invoke when authorization is required. If not provided, the handler from the constructor will be used.</param>
     /// <returns>The OAuth token response.</returns>
     public async Task<OAuthToken> HandleAuthenticationAsync(
         Uri resourceUri,
         string wwwAuthenticateHeader,
         Uri redirectUri,
         string? clientId = null,
         string? clientName = null,
-        IEnumerable<string>? scopes = null)
+        IEnumerable<string>? scopes = null,
+        Func<Uri, Task<string>>? authorizationHandler = null)
     {
+        // Use the provided authorization handler or fall back to the one from the constructor
+        var effectiveAuthHandler = authorizationHandler ?? _authorizationHandler;
+        
         // Extract resource metadata URL from WWW-Authenticate header
         var resourceMetadataUri = ExtractResourceMetadataUri(wwwAuthenticateHeader);
         if (resourceMetadataUri == null)
@@ -88,7 +110,8 @@ public async Task<OAuthToken> HandleAuthenticationAsync(
             effectiveClientId, // This is now guaranteed to be non-null
             clientSecret,
             redirectUri,
-            scopes?.ToList() ?? resourceMetadata.ScopesSupported);
+            scopes?.ToList() ?? resourceMetadata.ScopesSupported,
+            effectiveAuthHandler);
 
         return tokenResponse;
     }
@@ -219,7 +242,8 @@ private async Task<OAuthToken> PerformAuthorizationCodeFlowAsync(
         string clientId,
         string? clientSecret,
         Uri redirectUri,
-        IEnumerable<string> scopes)
+        IEnumerable<string> scopes,
+        Func<Uri, Task<string>>? authorizationHandler)
     {
         // Generate PKCE code verifier and challenge
         var codeVerifier = GenerateCodeVerifier();
@@ -233,26 +257,34 @@ private async Task<OAuthToken> PerformAuthorizationCodeFlowAsync(
             codeChallenge,
             scopes);
 
-        // At this point, in a real application, you would redirect the user to the authorizationUrl
-        // and then handle the callback to redirectUri with the authorization code.
-        // For this implementation, we'll assume the code is obtained externally and passed to us.
+        // Check if an authorization handler is available
+        if (authorizationHandler != null)
+        {
+            try
+            {
+                // Get the authorization code using the provided handler
+                string authorizationCode = await authorizationHandler(new Uri(authorizationUrl));
+                
+                // Exchange the authorization code for a token
+                return await ExchangeAuthorizationCodeForTokenAsync(
+                    authServerMetadata.TokenEndpoint,
+                    clientId,
+                    clientSecret,
+                    redirectUri,
+                    authorizationCode,
+                    codeVerifier);
+            }
+            catch (Exception ex)
+            {
+                throw new InvalidOperationException($"Failed to complete OAuth authorization flow: {ex.Message}", ex);
+            }
+        }
 
-        // Since we can't actually perform the browser interaction in this service,
-        // we'll throw with instructions
+        // No authorization handler available, throw with instructions
         throw new NotImplementedException(
             $"Authorization requires user interaction. Please direct the user to: {authorizationUrl}\n" +
             $"After authorization, the user will be redirected to: {redirectUri}?code=[authorization_code]\n" +
             $"You need to handle this redirect and extract the authorization code to complete the flow.");
-        
-        // In a real implementation, after getting the authorization code:
-        // var authorizationCode = GetAuthorizationCodeFromRedirect();
-        // return await ExchangeAuthorizationCodeForTokenAsync(
-        //     authServerMetadata.TokenEndpoint,
-        //     clientId,
-        //     clientSecret,
-        //     redirectUri,
-        //     authorizationCode,
-        //     codeVerifier);
     }
 
     private string GenerateCodeVerifier()