Respect HandleResponse() and SkipHandler() calls in OnResourceMetadataRequest (#607)

halter73 · web-flow · commit f53e0d2132d9 · 2025-07-17T17:39:05.000-07:00
diff --git a/src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationHandler.cs b/src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationHandler.cs
@@ -43,8 +43,7 @@ public async Task<bool> HandleRequestAsync()
             return false;
         }
 
-        await HandleResourceMetadataRequestAsync();
-        return true;
+        return await HandleResourceMetadataRequestAsync();
     }
 
     /// <summary>
@@ -78,10 +77,7 @@ private string GetAbsoluteResourceMetadataUri()
         return absoluteUri.ToString();
     }
 
-    /// <summary>
-    /// Handles the resource metadata request.
-    /// </summary>
-    private async Task HandleResourceMetadataRequestAsync()
+    private async Task<bool> HandleResourceMetadataRequestAsync()
     {
         var resourceMetadata = Options.ResourceMetadata;
 
@@ -93,6 +89,23 @@ private async Task HandleResourceMetadataRequestAsync()
             };
 
             await Options.Events.OnResourceMetadataRequest(context);
+
+            if (context.Result is not null)
+            {
+                if (context.Result.Handled)
+                {
+                    return true;
+                }
+                else if (context.Result.Skipped)
+                {
+                    return false;
+                }
+                else if (context.Result.Failure is not null)
+                {
+                    throw new AuthenticationFailureException("An error occurred from the OnResourceMetadataRequest event.", context.Result.Failure);
+                }
+            }
+
             resourceMetadata = context.ResourceMetadata;
         }
 
@@ -104,6 +117,7 @@ private async Task HandleResourceMetadataRequestAsync()
         }
 
         await Results.Json(resourceMetadata, McpJsonUtilities.DefaultOptions.GetTypeInfo(typeof(ProtectedResourceMetadata))).ExecuteAsync(Context);
+        return true;
     }
 
     /// <inheritdoc />
diff --git a/src/ModelContextProtocol.Core/Authentication/ClientOAuthProvider.cs b/src/ModelContextProtocol.Core/Authentication/ClientOAuthProvider.cs
@@ -212,11 +212,6 @@ private async Task PerformOAuthAuthorizationAsync(
         // Get auth server metadata
         var authServerMetadata = await GetAuthServerMetadataAsync(selectedAuthServer, cancellationToken).ConfigureAwait(false);
 
-        if (authServerMetadata is null)
-        {
-            ThrowFailedToHandleUnauthorizedResponse($"Failed to retrieve metadata for authorization server: '{selectedAuthServer}'");
-        }
-
         // Store auth server metadata for future refresh operations
         _authServerMetadata = authServerMetadata;
 
@@ -238,7 +233,7 @@ private async Task PerformOAuthAuthorizationAsync(
         LogOAuthAuthorizationCompleted();
     }
 
-    private async Task<AuthorizationServerMetadata?> GetAuthServerMetadataAsync(Uri authServerUri, CancellationToken cancellationToken)
+    private async Task<AuthorizationServerMetadata> GetAuthServerMetadataAsync(Uri authServerUri, CancellationToken cancellationToken)
     {
         if (!authServerUri.OriginalString.EndsWith("/"))
         {
@@ -249,7 +244,9 @@ private async Task PerformOAuthAuthorizationAsync(
         {
             try
             {
-                var response = await _httpClient.GetAsync(new Uri(authServerUri, path), cancellationToken).ConfigureAwait(false);
+                var wellKnownEndpoint = new Uri(authServerUri, path);
+
+                var response = await _httpClient.GetAsync(wellKnownEndpoint, cancellationToken).ConfigureAwait(false);
                 if (!response.IsSuccessStatusCode)
                 {
                     continue;
@@ -258,23 +255,36 @@ private async Task PerformOAuthAuthorizationAsync(
                 using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
                 var metadata = await JsonSerializer.DeserializeAsync(stream, McpJsonUtilities.JsonContext.Default.AuthorizationServerMetadata, cancellationToken).ConfigureAwait(false);
 
-                if (metadata != null)
+                if (metadata is null)
+                {
+                    continue;
+                }
+
+                if (metadata.AuthorizationEndpoint is null)
                 {
-                    metadata.ResponseTypesSupported ??= ["code"];
-                    metadata.GrantTypesSupported ??= ["authorization_code", "refresh_token"];
-                    metadata.TokenEndpointAuthMethodsSupported ??= ["client_secret_post"];
-                    metadata.CodeChallengeMethodsSupported ??= ["S256"];
+                    ThrowFailedToHandleUnauthorizedResponse($"No authorization_endpoint was provided via '{wellKnownEndpoint}'.");
+                }
 
-                    return metadata;
+                if (metadata.AuthorizationEndpoint.Scheme != Uri.UriSchemeHttp &&
+                    metadata.AuthorizationEndpoint.Scheme != Uri.UriSchemeHttps)
+                {
+                    ThrowFailedToHandleUnauthorizedResponse($"AuthorizationEndpoint must use HTTP or HTTPS. '{metadata.AuthorizationEndpoint}' does not meet this requirement.");
                 }
+
+                metadata.ResponseTypesSupported ??= ["code"];
+                metadata.GrantTypesSupported ??= ["authorization_code", "refresh_token"];
+                metadata.TokenEndpointAuthMethodsSupported ??= ["client_secret_post"];
+                metadata.CodeChallengeMethodsSupported ??= ["S256"];
+
+                return metadata;
             }
             catch (Exception ex)
             {
                 LogErrorFetchingAuthServerMetadata(ex, path);
             }
         }
 
-        return null;
+        throw new McpException($"Failed to find .well-known/openid-configuration or .well-known/oauth-authorization-server metadata for authorization server: '{authServerUri}'");
     }
 
     private async Task<TokenContainer> RefreshTokenAsync(string refreshToken, Uri resourceUri, AuthorizationServerMetadata authServerMetadata, CancellationToken cancellationToken)
@@ -320,12 +330,6 @@ private Uri BuildAuthorizationUrl(
         AuthorizationServerMetadata authServerMetadata,
         string codeChallenge)
     {
-        if (authServerMetadata.AuthorizationEndpoint.Scheme != Uri.UriSchemeHttp &&
-            authServerMetadata.AuthorizationEndpoint.Scheme != Uri.UriSchemeHttps)
-        {
-            throw new ArgumentException("AuthorizationEndpoint must use HTTP or HTTPS.", nameof(authServerMetadata));
-        }
-
         var queryParamsDictionary = new Dictionary<string, string>
         {
             ["client_id"] = GetClientIdOrThrow(),
diff --git a/tests/ModelContextProtocol.AspNetCore.Tests/AuthEventTests.cs b/tests/ModelContextProtocol.AspNetCore.Tests/AuthEventTests.cs
@@ -289,6 +289,87 @@ public async Task ResourceMetadataEndpoint_ThrowsException_WhenNoMetadataProvide
         Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
     }
 
+    [Fact]
+    public async Task ResourceMetadataEndpoint_HandlesResponse_WhenHandleResponseCalled()
+    {
+        Builder.Services.AddMcpServer().WithHttpTransport();
+
+        // Override the configuration to test HandleResponse behavior
+        Builder.Services.Configure<McpAuthenticationOptions>(
+            McpAuthenticationDefaults.AuthenticationScheme,
+            options =>
+            {
+                options.ResourceMetadata = null;
+                options.Events.OnResourceMetadataRequest = async context =>
+                {
+                    // Call HandleResponse() to discontinue processing and return to client
+                    context.HandleResponse();
+                    await Task.CompletedTask;
+                };
+            }
+        );
+
+        await using var app = Builder.Build();
+
+        app.MapMcp().RequireAuthorization();
+
+        await app.StartAsync(TestContext.Current.CancellationToken);
+
+        // Make a direct request to the resource metadata endpoint
+        using var response = await HttpClient.GetAsync(
+            "/.well-known/oauth-protected-resource",
+            TestContext.Current.CancellationToken
+        );
+
+        // The request should be handled by the event handler without returning metadata
+        // Since HandleResponse() was called, the handler should have taken responsibility
+        // for generating the response, which in this case means an empty response
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+
+        // The response should be empty since the event handler called HandleResponse()
+        // but didn't write any content to the response
+        var content = await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken);
+        Assert.Empty(content);
+    }
+
+    [Fact]
+    public async Task ResourceMetadataEndpoint_SkipsHandler_WhenSkipHandlerCalled()
+    {
+        Builder.Services.AddMcpServer().WithHttpTransport();
+
+        // Override the configuration to test SkipHandler behavior
+        Builder.Services.Configure<McpAuthenticationOptions>(
+            McpAuthenticationDefaults.AuthenticationScheme,
+            options =>
+            {
+                options.ResourceMetadata = null;
+                options.Events.OnResourceMetadataRequest = async context =>
+                {
+                    // Call SkipHandler() to discontinue processing in the current handler
+                    context.SkipHandler();
+                    await Task.CompletedTask;
+                };
+            }
+        );
+
+        await using var app = Builder.Build();
+
+        app.MapMcp().RequireAuthorization();
+
+        await app.StartAsync(TestContext.Current.CancellationToken);
+
+        // Make a direct request to the resource metadata endpoint
+        using var response = await HttpClient.GetAsync(
+            "/.well-known/oauth-protected-resource",
+            TestContext.Current.CancellationToken
+        );
+
+        // When SkipHandler() is called, the authentication handler should skip processing
+        // and let other handlers in the pipeline handle the request. Since there are no
+        // other handlers configured for this endpoint, this should result in a 404
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
     private async Task<string?> HandleAuthorizationUrlAsync(
         Uri authorizationUri,
         Uri redirectUri,

Original file line number	Diff line number	Diff line change
`@@ -212,11 +212,6 @@ private async Task PerformOAuthAuthorizationAsync(`
`212`	`212`	`// Get auth server metadata`
`213`	`213`	`var authServerMetadata = await GetAuthServerMetadataAsync(selectedAuthServer, cancellationToken).ConfigureAwait(false);`
`214`	`214`
`215`		`- if (authServerMetadata is null)`
`216`		`- {`
`217`		`- ThrowFailedToHandleUnauthorizedResponse($"Failed to retrieve metadata for authorization server: '{selectedAuthServer}'");`
`218`		`- }`
`219`		`-`
`220`	`215`	`// Store auth server metadata for future refresh operations`
`221`	`216`	`_authServerMetadata = authServerMetadata;`
`222`	`217`
`@@ -238,7 +233,7 @@ private async Task PerformOAuthAuthorizationAsync(`
`238`	`233`	`LogOAuthAuthorizationCompleted();`
`239`	`234`	`}`
`240`	`235`
`241`		`- private async Task<AuthorizationServerMetadata?> GetAuthServerMetadataAsync(Uri authServerUri, CancellationToken cancellationToken)`
	`236`	`+ private async Task<AuthorizationServerMetadata> GetAuthServerMetadataAsync(Uri authServerUri, CancellationToken cancellationToken)`
`242`	`237`	`{`
`243`	`238`	`if (!authServerUri.OriginalString.EndsWith("/"))`
`244`	`239`	`{`
`@@ -249,7 +244,9 @@ private async Task PerformOAuthAuthorizationAsync(`
`249`	`244`	`{`
`250`	`245`	`try`
`251`	`246`	`{`
`252`		`- var response = await _httpClient.GetAsync(new Uri(authServerUri, path), cancellationToken).ConfigureAwait(false);`
	`247`	`+ var wellKnownEndpoint = new Uri(authServerUri, path);`
	`248`	`+`
	`249`	`+ var response = await _httpClient.GetAsync(wellKnownEndpoint, cancellationToken).ConfigureAwait(false);`
`253`	`250`	`if (!response.IsSuccessStatusCode)`
`254`	`251`	`{`
`255`	`252`	`continue;`
`@@ -258,23 +255,36 @@ private async Task PerformOAuthAuthorizationAsync(`
`258`	`255`	`using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);`
`259`	`256`	`var metadata = await JsonSerializer.DeserializeAsync(stream, McpJsonUtilities.JsonContext.Default.AuthorizationServerMetadata, cancellationToken).ConfigureAwait(false);`
`260`	`257`
`261`		`- if (metadata != null)`
	`258`	`+ if (metadata is null)`
	`259`	`+ {`
	`260`	`+ continue;`
	`261`	`+ }`
	`262`	`+`
	`263`	`+ if (metadata.AuthorizationEndpoint is null)`
`262`	`264`	`{`
`263`		`- metadata.ResponseTypesSupported ??= ["code"];`
`264`		`- metadata.GrantTypesSupported ??= ["authorization_code", "refresh_token"];`
`265`		`- metadata.TokenEndpointAuthMethodsSupported ??= ["client_secret_post"];`
`266`		`- metadata.CodeChallengeMethodsSupported ??= ["S256"];`
	`265`	`+ ThrowFailedToHandleUnauthorizedResponse($"No authorization_endpoint was provided via '{wellKnownEndpoint}'.");`
	`266`	`+ }`
`267`	`267`
`268`		`- return metadata;`
	`268`	`+ if (metadata.AuthorizationEndpoint.Scheme != Uri.UriSchemeHttp &&`
	`269`	`+ metadata.AuthorizationEndpoint.Scheme != Uri.UriSchemeHttps)`
	`270`	`+ {`
	`271`	`+ ThrowFailedToHandleUnauthorizedResponse($"AuthorizationEndpoint must use HTTP or HTTPS. '{metadata.AuthorizationEndpoint}' does not meet this requirement.");`
`269`	`272`	`}`
	`273`	`+`
	`274`	`+ metadata.ResponseTypesSupported ??= ["code"];`
	`275`	`+ metadata.GrantTypesSupported ??= ["authorization_code", "refresh_token"];`
	`276`	`+ metadata.TokenEndpointAuthMethodsSupported ??= ["client_secret_post"];`
	`277`	`+ metadata.CodeChallengeMethodsSupported ??= ["S256"];`
	`278`	`+`
	`279`	`+ return metadata;`
`270`	`280`	`}`
`271`	`281`	`catch (Exception ex)`
`272`	`282`	`{`
`273`	`283`	`LogErrorFetchingAuthServerMetadata(ex, path);`
`274`	`284`	`}`
`275`	`285`	`}`
`276`	`286`
`277`		`- return null;`
	`287`	`+ throw new McpException($"Failed to find .well-known/openid-configuration or .well-known/oauth-authorization-server metadata for authorization server: '{authServerUri}'");`
`278`	`288`	`}`
`279`	`289`
`280`	`290`	`private async Task<TokenContainer> RefreshTokenAsync(string refreshToken, Uri resourceUri, AuthorizationServerMetadata authServerMetadata, CancellationToken cancellationToken)`
`@@ -320,12 +330,6 @@ private Uri BuildAuthorizationUrl(`
`320`	`330`	`AuthorizationServerMetadata authServerMetadata,`
`321`	`331`	`string codeChallenge)`
`322`	`332`	`{`
`323`		`- if (authServerMetadata.AuthorizationEndpoint.Scheme != Uri.UriSchemeHttp &&`
`324`		`- authServerMetadata.AuthorizationEndpoint.Scheme != Uri.UriSchemeHttps)`
`325`		`- {`
`326`		`- throw new ArgumentException("AuthorizationEndpoint must use HTTP or HTTPS.", nameof(authServerMetadata));`
`327`		`- }`
`328`		`-`
`329`	`333`	`var queryParamsDictionary = new Dictionary<string, string>`
`330`	`334`	`{`
`331`	`335`	`["client_id"] = GetClientIdOrThrow(),`