Trim trailing slashes from derived resource URIs and improve tests

Changes per MCP spec recommendation:
- Remove trailing slash variants from TestOAuthServer.ValidResources (kept only no-slash versions)
- Make ValidResources public static to allow test customization
- Update McpAuthenticationHandler to trim trailing slashes when deriving resource URIs
- Update ProtectedResourceMetadata.Clone to trim trailing slashes from derived URIs
- Improve ResourceMetadata_DoesNotAddTrailingSlash test to actually authenticate (not just fetch metadata)
- Add ResourceMetadata_PreservesExplicitTrailingSlash test to verify explicitly configured slashes work

Per MCP spec: implementations SHOULD use URIs without trailing slashes unless semantically significant.

Co-authored-by: halter73 <54385+halter73@users.noreply.github.com>

Author: Copilot

src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationHandler.cs

@@ -165,7 +165,7 @@ private async Task<bool> HandleResourceMetadataRequestAsync(Uri? derivedResource
             throw new InvalidOperationException("ResourceMetadata has not been configured. Please set McpAuthenticationOptions.ResourceMetadata or ensure context.ResourceMetadata is set inside McpAuthenticationOptions.Events.OnResourceMetadataRequest.");
         }
 
-        resourceMetadata.Resource ??= derivedResourceUri?.ToString();
+        resourceMetadata.Resource ??= derivedResourceUri?.ToString().TrimEnd('/');
 
         if (resourceMetadata.Resource is null)
         {

src/ModelContextProtocol.Core/Authentication/ProtectedResourceMetadata.cs

@@ -207,7 +207,7 @@ public ProtectedResourceMetadata Clone(Uri? derivedResourceUri = null)
     {
         return new ProtectedResourceMetadata
         {
-            Resource = Resource ?? derivedResourceUri?.ToString(),
+            Resource = Resource ?? derivedResourceUri?.ToString().TrimEnd('/'),
             AuthorizationServers = [.. AuthorizationServers],
             BearerMethodsSupported = [.. BearerMethodsSupported],
             ScopesSupported = [.. ScopesSupported],

tests/ModelContextProtocol.AspNetCore.Tests/OAuth/AuthTests.cs

@@ -755,38 +755,77 @@ await McpClient.CreateAsync(
     [Fact]
     public async Task ResourceMetadata_DoesNotAddTrailingSlash()
     {
-        // This test verifies that using string for Resource property avoids URI normalization
-        // that would add a trailing slash to URIs without paths
-        const string resourceWithoutTrailingSlash = "http://localhost:5000";
+        // This test verifies that automatically derived resource URIs don't have trailing slashes
+        // and that the client doesn't add them during authentication
 
-        Builder.Services.Configure<McpAuthenticationOptions>(McpAuthenticationDefaults.AuthenticationScheme, options =>
+        // Don't explicitly set Resource - let it be derived from the request
+        await using var app = await StartMcpServerAsync();
+
+        // Authenticate with the client - this will derive the resource URI from the server URL
+        await using var transport = new HttpClientTransport(new()
         {
-            options.ResourceMetadata = new ProtectedResourceMetadata
+            Endpoint = new(McpServerUrl),
+            OAuth = new()
             {
-                Resource = resourceWithoutTrailingSlash,
-                AuthorizationServers = { OAuthServerUrl },
-                ScopesSupported = ["mcp:tools"],
-            };
-        });
+                ClientId = "demo-client",
+                ClientSecret = "demo-secret",
+                RedirectUri = new Uri("http://localhost:1179/callback"),
+                AuthorizationRedirectDelegate = HandleAuthorizationUrlAsync,
+            },
+        }, HttpClient, LoggerFactory);
 
-        await using var app = await StartMcpServerAsync();
+        // This should succeed - the client should not add a trailing slash
+        // If the client incorrectly added a trailing slash, ValidResources would reject it
+        await using var client = await McpClient.CreateAsync(
+            transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken);
+    }
 
-        // Make a direct request to the resource metadata endpoint
-        using var response = await HttpClient.GetAsync(
-            "/.well-known/oauth-protected-resource",
-            TestContext.Current.CancellationToken
-        );
+    [Fact]
+    public async Task ResourceMetadata_PreservesExplicitTrailingSlash()
+    {
+        // This test verifies that explicitly configured trailing slashes are preserved
+        const string resourceWithTrailingSlash = "http://localhost:5000/";
+        
+        // Explicitly configure ValidResources to accept the trailing slash version
+        var originalValidResources = ModelContextProtocol.TestOAuthServer.Program.ValidResources;
+        try
+        {
+            ModelContextProtocol.TestOAuthServer.Program.ValidResources = [resourceWithTrailingSlash, "http://localhost:5000/mcp"];
+            
+            Builder.Services.Configure<McpAuthenticationOptions>(McpAuthenticationDefaults.AuthenticationScheme, options =>
+            {
+                options.ResourceMetadata = new ProtectedResourceMetadata
+                {
+                    Resource = resourceWithTrailingSlash,
+                    AuthorizationServers = { OAuthServerUrl },
+                    ScopesSupported = ["mcp:tools"],
+                };
+            });
 
-        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+            await using var app = await StartMcpServerAsync();
 
-        var metadata = await response.Content.ReadFromJsonAsync<ProtectedResourceMetadata>(
-            McpJsonUtilities.DefaultOptions,
-            TestContext.Current.CancellationToken
-        );
+            // Authenticate with the client
+            await using var transport = new HttpClientTransport(new()
+            {
+                Endpoint = new(McpServerUrl),
+                OAuth = new()
+                {
+                    ClientId = "demo-client",
+                    ClientSecret = "demo-secret",
+                    RedirectUri = new Uri("http://localhost:1179/callback"),
+                    AuthorizationRedirectDelegate = HandleAuthorizationUrlAsync,
+                },
+            }, HttpClient, LoggerFactory);
 
-        Assert.NotNull(metadata);
-        
-        // Verify that the Resource property does NOT have a trailing slash added
-        Assert.Equal(resourceWithoutTrailingSlash, metadata.Resource);
+            // This should succeed with the explicitly configured trailing slash
+            // If the client incorrectly trimmed the slash, ValidResources would reject it
+            await using var client = await McpClient.CreateAsync(
+                transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken);
+        }
+        finally
+        {
+            // Restore original ValidResources
+            ModelContextProtocol.TestOAuthServer.Program.ValidResources = originalValidResources;
+        }
     }
 }

tests/ModelContextProtocol.TestOAuthServer/Program.cs

@@ -16,12 +16,11 @@ public sealed class Program
     private static readonly string _clientMetadataDocumentUrl = $"{_url}/client-metadata/cimd-client.json";
 
     // Port 5000 is used by tests and port 7071 is used by the ProtectedMcpServer sample
-    private static readonly string[] ValidResources = [
+    // Per MCP spec, URIs should not have trailing slashes unless semantically significant
+    public static string[] ValidResources { get; set; } = [
         "http://localhost:5000",
-        "http://localhost:5000/",
         "http://localhost:5000/mcp",
-        "http://localhost:7071",
-        "http://localhost:7071/"
+        "http://localhost:7071"
     ];
 
     private readonly ConcurrentDictionary<string, AuthorizationCodeInfo> _authCodes = new();