Address copilot PR feedback

Author: halter73

src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationHandler.cs

@@ -76,8 +76,8 @@ private string GetAbsoluteResourceMetadataUri()
                 return resourceMetadataUri.ToString();
             }
 
-            var seperator = resourceMetadataUri.OriginalString.StartsWith("/") ? "" : "/";
-            return $"{Request.Scheme}://{Request.Host.ToUriComponent()}{Request.PathBase}{seperator}{resourceMetadataUri.OriginalString}";
+            var separator = resourceMetadataUri.OriginalString.StartsWith("/") ? "" : "/";
+            return $"{Request.Scheme}://{Request.Host.ToUriComponent()}{Request.PathBase}{separator}{resourceMetadataUri.OriginalString}";
         }
 
         return $"{Request.Scheme}://{Request.Host.ToUriComponent()}{Request.PathBase}{DefaultResourceMetadataPath}{Request.Path}";
@@ -105,17 +105,15 @@ private bool IsConfiguredEndpointRequest(Uri resourceMetadataUri)
         if (!string.Equals(Request.Host.Host, resourceMetadataUri.Host, StringComparison.OrdinalIgnoreCase))
         {
             Logger.LogWarning(
-                "Resource metadata request host '{RequestHost}' did not match configured host '{ConfiguredHost}'.",
-                Request.Host.Value,
+                "Resource metadata request host did not match configured host '{ConfiguredHost}'.",
                 resourceMetadataUri.Host);
             return false;
         }
 
         if (!string.Equals(Request.Scheme, resourceMetadataUri.Scheme, StringComparison.OrdinalIgnoreCase))
         {
             Logger.LogWarning(
-                "Resource metadata request scheme '{RequestScheme}' did not match configured scheme '{ConfiguredScheme}'.",
-                Request.Scheme,
+                "Resource metadata request scheme did not match configured scheme '{ConfiguredScheme}'.",
                 resourceMetadataUri.Scheme);
             return false;
         }
@@ -173,6 +171,11 @@ private async Task<bool> HandleResourceMetadataRequestAsync(Uri? derivedResource
 
         resourceMetadata.Resource ??= derivedResourceUri;
 
+        if (resourceMetadata.Resource is null)
+        {
+            throw new InvalidOperationException("ResourceMetadata.Resource could not be determined. Please set McpAuthenticationOptions.ResourceMetadata.Resource or avoid setting a custom McpAuthenticationOptions.ResourceMetadataUri.");
+        }
+
         await Results.Json(resourceMetadata, McpJsonUtilities.DefaultOptions.GetTypeInfo(typeof(ProtectedResourceMetadata))).ExecuteAsync(Context);
         return true;
     }

src/ModelContextProtocol.Core/Authentication/ProtectedResourceMetadata.cs

@@ -15,8 +15,9 @@ public sealed class ProtectedResourceMetadata
     /// The protected resource's resource identifier.
     /// </value>
     /// <remarks>
-    /// OPTIONAL. When omitted, the MCP authentication handler infers the resource URI from the incoming request when serving
-    /// the default <c>/.well-known/oauth-protected-resource</c> endpoint.
+    /// OPTIONAL. When omitted, the MCP authentication handler infers the resource URI from the incoming request only when serving
+    /// the default <c>/.well-known/oauth-protected-resource</c> endpoint. If a custom <c>ResourceMetadataUri</c> is configured,
+    /// <b>Resource</b> must be explicitly set. Automatic inference only works with the default endpoint pattern.
     /// </remarks>
     [JsonPropertyName("resource")]
     public Uri? Resource { get; set; }

tests/ModelContextProtocol.AspNetCore.Tests/MapMcpTests.cs

@@ -1,7 +1,6 @@
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.Logging;
 using ModelContextProtocol.AspNetCore.Tests.Utils;
 using ModelContextProtocol.Client;
 using ModelContextProtocol.Protocol;
@@ -147,7 +146,6 @@ public async Task Sampling_DoesNotCloseStreamPrematurely()
         Assert.SkipWhen(Stateless, "Sampling is not supported in stateless mode.");
 
         Builder.Services.AddMcpServer().WithHttpTransport(ConfigureStateless).WithTools<SamplingRegressionTools>();
-        Builder.Logging.SetMinimumLevel(LogLevel.Debug);
 
         await using var app = Builder.Build();
 

tests/ModelContextProtocol.AspNetCore.Tests/OAuth/McpAuthenticationHandlerTests.cs

@@ -11,7 +11,7 @@
 using System.Net.Http.Json;
 using System.Text.Encodings.Web;
 
-namespace ModelContextProtocol.AspNetCore.Tests.Authentication;
+namespace ModelContextProtocol.AspNetCore.Tests.OAuth;
 
 public class McpAuthenticationHandlerTests(ITestOutputHelper outputHelper) : KestrelInMemoryTest(outputHelper)
 {
@@ -23,6 +23,7 @@ public async Task Challenge_WithRelativeResourceMetadataUri_SetsAbsoluteUrl()
         await using var app = await StartAuthenticationServerAsync(options =>
         {
             options.ResourceMetadataUri = new Uri(metadataPath, UriKind.Relative);
+            options.ResourceMetadata!.Resource = new Uri("http://localhost:5000/challenge");
         });
 
         using var challengeResponse = await HttpClient.GetAsync(new Uri("/challenge", UriKind.Relative), HttpCompletionOption.ResponseHeadersRead, TestContext.Current.CancellationToken);
@@ -36,14 +37,34 @@ public async Task Challenge_WithRelativeResourceMetadataUri_SetsAbsoluteUrl()
         metadataResponse.EnsureSuccessStatusCode();
     }
 
+    [Fact]
+    public async Task MetadataRequest_CustomResourceMetadataUriWithoutResource_ThrowsInvalidOperationException()
+    {
+        const string metadataPath = "/.well-known/custom-metadata";
+
+        await using var app = await StartAuthenticationServerAsync(options =>
+        {
+            options.ResourceMetadataUri = new Uri(metadataPath, UriKind.Relative);
+        });
+
+        using var response = await HttpClient.GetAsync(new Uri(metadataPath, UriKind.Relative), TestContext.Current.CancellationToken);
+
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+        Assert.Contains(MockLoggerProvider.LogMessages, log =>
+            log.LogLevel == LogLevel.Error &&
+            log.Exception is InvalidOperationException &&
+            log.Exception.Message.Contains("ResourceMetadata.Resource could not be determined", StringComparison.Ordinal));
+    }
+
     [Fact]
     public async Task Challenge_WithAbsoluteResourceMetadataUri_SetsConfiguredUrl()
     {
-        var metadataUri = new Uri("http://localhost:5000/.well-known/custom-absolute", UriKind.Absolute);
+        var metadataUri = new Uri("http://localhost:5000/.well-known/custom-absolute");
 
         await using var app = await StartAuthenticationServerAsync(options =>
         {
             options.ResourceMetadataUri = metadataUri;
+            options.ResourceMetadata!.Resource = new Uri("http://localhost:5000/challenge");
         });
 
         using var challengeResponse = await HttpClient.GetAsync(new Uri("/challenge", UriKind.Relative), HttpCompletionOption.ResponseHeadersRead, TestContext.Current.CancellationToken);
@@ -60,7 +81,7 @@ public async Task Challenge_WithAbsoluteResourceMetadataUri_SetsConfiguredUrl()
     [Fact]
     public async Task MetadataRequest_WithHostMismatch_LogsWarning()
     {
-        var metadataUri = new Uri("http://expected-host:5000/.well-known/host-mismatch", UriKind.Absolute);
+        var metadataUri = new Uri("http://expected-host:5000/.well-known/host-mismatch");
 
         await using var app = await StartAuthenticationServerAsync(options =>
         {
@@ -146,7 +167,11 @@ private async Task<WebApplication> StartAuthenticationServerAsync(Action<McpAuth
 
         authenticationBuilder.AddScheme<McpAuthenticationOptions, McpAuthenticationHandler>(McpAuthenticationDefaults.AuthenticationScheme, options =>
         {
-            options.ResourceMetadata = CreateMetadata();
+            options.ResourceMetadata = new()
+            {
+                AuthorizationServers = [new Uri("https://localhost:7029")],
+                ScopesSupported = ["mcp:tools"],
+            };
             configureOptions?.Invoke(options);
         });
 
@@ -167,12 +192,6 @@ private async Task<WebApplication> StartAuthenticationServerAsync(Action<McpAuth
         return app;
     }
 
-    private static ProtectedResourceMetadata CreateMetadata() => new()
-    {
-        AuthorizationServers = [new Uri("https://localhost:7029")],
-        ScopesSupported = ["mcp:tools"],
-    };
-
     private sealed class NoopBearerAuthenticationHandler(
         IOptionsMonitor<AuthenticationSchemeOptions> options,
         ILoggerFactory logger,