modelcontextprotocol
diff --git a/‎docs/concepts/filters.md‎
Lines changed: 52 additions & 2 deletions b/‎docs/concepts/filters.md‎
Lines changed: 52 additions & 2 deletions
diff --git a/‎src/ModelContextProtocol.AspNetCore/AuthorizationFilterSetup.cs‎
Lines changed: 153 additions & 11 deletions b/‎src/ModelContextProtocol.AspNetCore/AuthorizationFilterSetup.cs‎
Lines changed: 153 additions & 11 deletions
diff --git a/‎src/ModelContextProtocol.AspNetCore/HttpMcpServerBuilderExtensions.cs‎
Lines changed: 25 additions & 2 deletions b/‎src/ModelContextProtocol.AspNetCore/HttpMcpServerBuilderExtensions.cs‎
Lines changed: 25 additions & 2 deletions
@@ -121,7 +121,20 @@ Execution flow: `filter1 -> filter2 -> filter3 -> baseHandler -> filter3 -> filt
 
 ## Built-in Authorization Filters
 
-When using the ASP.NET Core integration (`ModelContextProtocol.AspNetCore`), authorization filters are automatically configured to support `[Authorize]` and `[AllowAnonymous]` attributes on MCP server tools, prompts, and resources.
+When using the ASP.NET Core integration (`ModelContextProtocol.AspNetCore`), you can add authorization filters to support `[Authorize]` and `[AllowAnonymous]` attributes on MCP server tools, prompts, and resources by calling `AddAuthorizationFilters()` on your MCP server builder.
+
+### Enabling Authorization Filters
+
+To enable authorization support, call `AddAuthorizationFilters()` when configuring your MCP server:
+
+```csharp
+services.AddMcpServer()
+    .WithHttpTransport()
+    .AddAuthorizationFilters() // Enable authorization filter support
+    .WithTools<WeatherTools>();
+```
+
+**Important**: You should always call `AddAuthorizationFilters()` when using ASP.NET Core integration if you want to use authorization attributes like `[Authorize]` on your MCP server tools, prompts, or resources.
 
 ### Authorization Attributes Support
 
@@ -200,9 +213,45 @@ For individual operations, the filters return authorization errors when access i
 - **Prompts**: Throws an `McpException` with "Access forbidden" message
 - **Resources**: Throws an `McpException` with "Access forbidden" message
 
+### Filter Execution Order and Authorization
+
+Authorization filters are applied automatically when you call `AddAuthorizationFilters()`. These filters run at a specific point in the filter pipeline, which means:
+
+**Filters added before authorization filters** can see:
+- Unauthorized requests for operations before they are rejected by the authorization filters
+- Complete listings for unauthorized primitives before they are filtered out by the authorization filters
+
+**Filters added after authorization filters** will only see:
+- Authorized requests that passed authorization checks
+- Filtered listings containing only authorized primitives
+
+This allows you to implement logging, metrics, or other cross-cutting concerns that need to see all requests, while still maintaining proper authorization:
+
+```csharp
+services.AddMcpServer()
+    .WithHttpTransport()
+    .AddListToolsFilter(next => async (context, cancellationToken) =>
+    {
+        // This filter runs BEFORE authorization - sees all tools
+        Console.WriteLine("Request for tools list - will see all tools");
+        var result = await next(context, cancellationToken);
+        Console.WriteLine($"Returning {result.Tools?.Count ?? 0} tools after authorization");
+        return result;
+    })
+    .AddAuthorizationFilters() // Authorization filtering happens here
+    .AddListToolsFilter(next => async (context, cancellationToken) =>
+    {
+        // This filter runs AFTER authorization - only sees authorized tools
+        var result = await next(context, cancellationToken);
+        Console.WriteLine($"Post-auth filter sees {result.Tools?.Count ?? 0} authorized tools");
+        return result;
+    })
+    .WithTools<WeatherTools>();
+```
+
 ### Setup Requirements
 
-To use authorization features, you must configure authentication and authorization in your ASP.NET Core application:
+To use authorization features, you must configure authentication and authorization in your ASP.NET Core application and call `AddAuthorizationFilters()`:
 
 ```csharp
 var builder = WebApplication.CreateBuilder(args);
@@ -214,6 +263,7 @@ builder.Services.AddAuthorization();
 
 builder.Services.AddMcpServer()
     .WithHttpTransport()
+    .AddAuthorizationFilters() // Required for authorization support
     .WithTools<WeatherTools>()
     .AddCallToolFilter(next => async (context, cancellationToken) =>
     {
 
@@ -1,3 +1,4 @@
+using System.Diagnostics.CodeAnalysis;
 using System.Security.Claims;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.Extensions.DependencyInjection;
@@ -10,8 +11,10 @@ namespace ModelContextProtocol.AspNetCore;
 /// <summary>
 /// Evaluates authorization policies from endpoint metadata.
 /// </summary>
-internal sealed class AuthorizationFilterSetup(IAuthorizationPolicyProvider? policyProvider = null) : IConfigureOptions<McpServerOptions>
+internal sealed class AuthorizationFilterSetup(IAuthorizationPolicyProvider? policyProvider = null) : IConfigureOptions<McpServerOptions>, IPostConfigureOptions<McpServerOptions>
 {
+    private static readonly string AuthorizationFilterInvokedKey = "ModelContextProtocol.AspNetCore.AuthorizationFilter.Invoked";
+
     public void Configure(McpServerOptions options)
     {
         ConfigureListToolsFilter(options);
@@ -25,10 +28,25 @@ public void Configure(McpServerOptions options)
         ConfigureGetPromptFilter(options);
     }
 
+    public void PostConfigure(string? name, McpServerOptions options)
+    {
+        CheckListToolsFilter(options);
+        CheckCallToolFilter(options);
+
+        CheckListResourcesFilter(options);
+        CheckListResourceTemplatesFilter(options);
+        CheckReadResourceFilter(options);
+
+        CheckListPromptsFilter(options);
+        CheckGetPromptFilter(options);
+    }
+
     private void ConfigureListToolsFilter(McpServerOptions options)
     {
         options.Filters.ListToolsFilters.Add(next => async (context, cancellationToken) =>
         {
+            context.Items[AuthorizationFilterInvokedKey] = true;
+
             var result = await next(context, cancellationToken);
             await FilterAuthorizedItemsAsync(
                 result.Tools, static tool => tool.McpServerTool,
@@ -37,6 +55,22 @@ await FilterAuthorizedItemsAsync(
         });
     }
 
+    private void CheckListToolsFilter(McpServerOptions options)
+    {
+        options.Filters.ListToolsFilters.Add(next => async (context, cancellationToken) =>
+        {
+            var result = await next(context, cancellationToken);
+
+            if (HasAuthorizationMetadata(result.Tools.Select(static tool => tool.McpServerTool))
+                && !context.Items.ContainsKey(AuthorizationFilterInvokedKey))
+            {
+                throw new InvalidOperationException("Authorization filter was not invoked for tools/list operation, but authorization metadata was found on the tools. Ensure that AddAuthorizationFilters() is called on the IMcpServerBuilder to configure authorization filters.");
+            }
+
+            return result;
+        });
+    }
+
     private void ConfigureCallToolFilter(McpServerOptions options)
     {
         options.Filters.CallToolFilters.Add(next => async (context, cancellationToken) =>
@@ -51,6 +85,22 @@ private void ConfigureCallToolFilter(McpServerOptions options)
                 };
             }
 
+            context.Items[AuthorizationFilterInvokedKey] = true;
+
+            return await next(context, cancellationToken);
+        });
+    }
+
+    private void CheckCallToolFilter(McpServerOptions options)
+    {
+        options.Filters.CallToolFilters.Add(next => async (context, cancellationToken) =>
+        {
+            if (HasAuthorizationMetadata(context.MatchedPrimitive)
+                && !context.Items.ContainsKey(AuthorizationFilterInvokedKey))
+            {
+                throw new InvalidOperationException("Authorization filter was not invoked for tools/call operation, but authorization metadata was found on the tool. Ensure that AddAuthorizationFilters() is called on the IMcpServerBuilder to configure authorization filters.");
+            }
+
             return await next(context, cancellationToken);
         });
     }
@@ -59,6 +109,8 @@ private void ConfigureListResourcesFilter(McpServerOptions options)
     {
         options.Filters.ListResourcesFilters.Add(next => async (context, cancellationToken) =>
         {
+            context.Items[AuthorizationFilterInvokedKey] = true;
+
             var result = await next(context, cancellationToken);
             await FilterAuthorizedItemsAsync(
                 result.Resources, static resource => resource.McpServerResource,
@@ -67,10 +119,28 @@ await FilterAuthorizedItemsAsync(
         });
     }
 
+    private void CheckListResourcesFilter(McpServerOptions options)
+    {
+        options.Filters.ListResourcesFilters.Add(next => async (context, cancellationToken) =>
+        {
+            var result = await next(context, cancellationToken);
+
+            if (HasAuthorizationMetadata(result.Resources.Select(static resource => resource.McpServerResource))
+                && !context.Items.ContainsKey(AuthorizationFilterInvokedKey))
+            {
+                throw new InvalidOperationException("Authorization filter was not invoked for resources/list operation, but authorization metadata was found on the resources. Ensure that AddAuthorizationFilters() is called on the IMcpServerBuilder to configure authorization filters.");
+            }
+
+            return result;
+        });
+    }
+
     private void ConfigureListResourceTemplatesFilter(McpServerOptions options)
     {
         options.Filters.ListResourceTemplatesFilters.Add(next => async (context, cancellationToken) =>
         {
+            context.Items[AuthorizationFilterInvokedKey] = true;
+
             var result = await next(context, cancellationToken);
             await FilterAuthorizedItemsAsync(
                 result.ResourceTemplates, static resourceTemplate => resourceTemplate.McpServerResource,
@@ -79,10 +149,28 @@ await FilterAuthorizedItemsAsync(
         });
     }
 
+    private void CheckListResourceTemplatesFilter(McpServerOptions options)
+    {
+        options.Filters.ListResourceTemplatesFilters.Add(next => async (context, cancellationToken) =>
+        {
+            var result = await next(context, cancellationToken);
+
+            if (HasAuthorizationMetadata(result.ResourceTemplates.Select(static resourceTemplate => resourceTemplate.McpServerResource))
+                && !context.Items.ContainsKey(AuthorizationFilterInvokedKey))
+            {
+                throw new InvalidOperationException("Authorization filter was not invoked for resources/templates/list operation, but authorization metadata was found on the resource templates. Ensure that AddAuthorizationFilters() is called on the IMcpServerBuilder to configure authorization filters.");
+            }
+
+            return result;
+        });
+    }
+
     private void ConfigureReadResourceFilter(McpServerOptions options)
     {
         options.Filters.ReadResourceFilters.Add(next => async (context, cancellationToken) =>
         {
+            context.Items[AuthorizationFilterInvokedKey] = true;
+
             var authResult = await GetAuthorizationResultAsync(context.User, context.MatchedPrimitive, context.Services, context);
             if (!authResult.Succeeded)
             {
@@ -93,10 +181,26 @@ private void ConfigureReadResourceFilter(McpServerOptions options)
         });
     }
 
+    private void CheckReadResourceFilter(McpServerOptions options)
+    {
+        options.Filters.ReadResourceFilters.Add(next => async (context, cancellationToken) =>
+        {
+            if (HasAuthorizationMetadata(context.MatchedPrimitive)
+                && !context.Items.ContainsKey(AuthorizationFilterInvokedKey))
+            {
+                throw new InvalidOperationException("Authorization filter was not invoked for resources/read operation, but authorization metadata was found on the resource. Ensure that AddAuthorizationFilters() is called on the IMcpServerBuilder to configure authorization filters.");
+            }
+
+            return await next(context, cancellationToken);
+        });
+    }
+
     private void ConfigureListPromptsFilter(McpServerOptions options)
     {
         options.Filters.ListPromptsFilters.Add(next => async (context, cancellationToken) =>
         {
+            context.Items[AuthorizationFilterInvokedKey] = true;
+
             var result = await next(context, cancellationToken);
             await FilterAuthorizedItemsAsync(
                 result.Prompts, static prompt => prompt.McpServerPrompt,
@@ -105,10 +209,28 @@ await FilterAuthorizedItemsAsync(
         });
     }
 
+    private void CheckListPromptsFilter(McpServerOptions options)
+    {
+        options.Filters.ListPromptsFilters.Add(next => async (context, cancellationToken) =>
+        {
+            var result = await next(context, cancellationToken);
+
+            if (HasAuthorizationMetadata(result.Prompts.Select(static prompt => prompt.McpServerPrompt))
+                && !context.Items.ContainsKey(AuthorizationFilterInvokedKey))
+            {
+                throw new InvalidOperationException("Authorization filter was not invoked for prompts/list operation, but authorization metadata was found on the prompts. Ensure that AddAuthorizationFilters() is called on the IMcpServerBuilder to configure authorization filters.");
+            }
+
+            return result;
+        });
+    }
+
     private void ConfigureGetPromptFilter(McpServerOptions options)
     {
         options.Filters.GetPromptFilters.Add(next => async (context, cancellationToken) =>
         {
+            context.Items[AuthorizationFilterInvokedKey] = true;
+
             var authResult = await GetAuthorizationResultAsync(context.User, context.MatchedPrimitive, context.Services, context);
             if (!authResult.Succeeded)
             {
@@ -119,6 +241,20 @@ private void ConfigureGetPromptFilter(McpServerOptions options)
         });
     }
 
+    private void CheckGetPromptFilter(McpServerOptions options)
+    {
+        options.Filters.GetPromptFilters.Add(next => async (context, cancellationToken) =>
+        {
+            if (HasAuthorizationMetadata(context.MatchedPrimitive)
+                && !context.Items.ContainsKey(AuthorizationFilterInvokedKey))
+            {
+                throw new InvalidOperationException("Authorization filter was not invoked for prompts/get operation, but authorization metadata was found on the prompt. Ensure that AddAuthorizationFilters() is called on the IMcpServerBuilder to configure authorization filters.");
+            }
+
+            return await next(context, cancellationToken);
+        });
+    }
+
     /// <summary>
     /// Filters a collection of items based on authorization policies in their metadata.
     /// For list operations where we need to filter results by authorization.
@@ -141,16 +277,7 @@ private async ValueTask FilterAuthorizedItemsAsync<T>(IList<T> items, Func<T, IM
     private async ValueTask<AuthorizationResult> GetAuthorizationResultAsync(
         ClaimsPrincipal? user, IMcpServerPrimitive? primitive, IServiceProvider? requestServices, object context)
     {
-        // If no primitive was found for this request or there is IAllowAnonymous metadata anywhere on the class or method,
-        // the request should go through as normal.
-        if (primitive is null || primitive.Metadata.Any(static m => m is IAllowAnonymous))
-        {
-            return AuthorizationResult.Success();
-        }
-
-        // There are no [Authorize] style attributes applied to the method or containing class. Any fallback policies
-        // have already been enforced at the HTTP request level by the ASP.NET Core authorization middleware.
-        if (!primitive.Metadata.Any(static m => m is IAuthorizeData or AuthorizationPolicy or IAuthorizationRequirementData))
+        if (!HasAuthorizationMetadata(primitive))
         {
             return AuthorizationResult.Success();
         }
@@ -219,4 +346,19 @@ private async ValueTask<AuthorizationResult> GetAuthorizationResultAsync(
             ? reqPolicyBuilder.Build()
             : AuthorizationPolicy.Combine(policy, reqPolicyBuilder.Build());
     }
+
+    private static bool HasAuthorizationMetadata([NotNullWhen(true)] IMcpServerPrimitive? primitive)
+    {
+        // If no primitive was found for this request or there is IAllowAnonymous metadata anywhere on the class or method,
+        // the request should go through as normal.
+        if (primitive is null || primitive.Metadata.Any(static m => m is IAllowAnonymous))
+        {
+            return false;
+        }
+
+        return primitive.Metadata.Any(static m => m is IAuthorizeData or AuthorizationPolicy or IAuthorizationRequirementData);
+    }
+
+    private static bool HasAuthorizationMetadata(IEnumerable<IMcpServerPrimitive?> primitives)
+        => primitives.Any(HasAuthorizationMetadata);
 }
@@ -1,3 +1,4 @@
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Options;
 using ModelContextProtocol.AspNetCore;
@@ -30,8 +31,7 @@ public static IMcpServerBuilder WithHttpTransport(this IMcpServerBuilder builder
         builder.Services.AddHostedService<IdleTrackingBackgroundService>();
         builder.Services.AddDataProtection();
 
-        // Register authorization filter setup for automatic filter configuration
-        builder.Services.TryAddEnumerable(ServiceDescriptor.Singleton<IConfigureOptions<McpServerOptions>, AuthorizationFilterSetup>());
+        builder.Services.TryAddEnumerable(ServiceDescriptor.Transient<IPostConfigureOptions<McpServerOptions>, AuthorizationFilterSetup>());
 
         if (configureOptions is not null)
         {
@@ -40,4 +40,27 @@ public static IMcpServerBuilder WithHttpTransport(this IMcpServerBuilder builder
 
         return builder;
     }
+
+    /// <summary>
+    /// Adds authorization filters to support <see cref="AuthorizeAttribute"/>
+    /// on MCP server tools, prompts, and resources. This method should always be called when using
+    /// ASP.NET Core integration to ensure proper authorization support.
+    /// </summary>
+    /// <param name="builder">The builder instance.</param>
+    /// <returns>The builder provided in <paramref name="builder"/>.</returns>
+    /// <exception cref="ArgumentNullException"><paramref name="builder"/> is <see langword="null"/>.</exception>
+    /// <remarks>
+    /// This method automatically configures authorization filters for all MCP server handlers. These filters respect
+    /// authorization attributes such as <see cref="AuthorizeAttribute"/>
+    /// and <see cref="AllowAnonymousAttribute"/>.
+    /// </remarks>
+    public static IMcpServerBuilder AddAuthorizationFilters(this IMcpServerBuilder builder)
+    {
+        ArgumentNullException.ThrowIfNull(builder);
+
+        // Allow the authorization filters to get added multiple times in case other middleware changes the matched primitive.
+        builder.Services.AddTransient<IConfigureOptions<McpServerOptions>, AuthorizationFilterSetup>();
+
+        return builder;
+    }
 }