Add auth regression test for missing resource in PRM (#1265)

Copilot · web-flow · commit b8ae4fec2bce · 2026-02-13T09:26:00.000-08:00
diff --git a/tests/ModelContextProtocol.AspNetCore.Tests/OAuth/AuthTests.cs b/tests/ModelContextProtocol.AspNetCore.Tests/OAuth/AuthTests.cs
@@ -4,6 +4,7 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.DependencyInjection;
+using ModelContextProtocol;
 using ModelContextProtocol.AspNetCore.Authentication;
 using ModelContextProtocol.Authentication;
 using ModelContextProtocol.Client;
@@ -528,6 +529,47 @@ await Assert.ThrowsAsync<McpException>(() => McpClient.CreateAsync(
             transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken));
     }
 
+    [Fact]
+    public async Task CannotAuthenticate_WhenProtectedResourceMetadataMissingResource()
+    {
+        TestOAuthServer.RequireResource = false;
+
+        Builder.Services.Configure<McpAuthenticationOptions>(McpAuthenticationDefaults.AuthenticationScheme, options =>
+        {
+            options.Events.OnResourceMetadataRequest = async context =>
+            {
+                context.HandleResponse();
+
+                var metadata = new ProtectedResourceMetadata
+                {
+                    AuthorizationServers = { new Uri(OAuthServerUrl) },
+                    ScopesSupported = ["mcp:tools"],
+                };
+
+                await Results.Json(metadata, McpJsonUtilities.DefaultOptions).ExecuteAsync(context.HttpContext);
+            };
+        });
+
+        await using var app = await StartMcpServerAsync();
+
+        await using var transport = new HttpClientTransport(new()
+        {
+            Endpoint = new(McpServerUrl),
+            OAuth = new()
+            {
+                ClientId = "demo-client",
+                ClientSecret = "demo-secret",
+                RedirectUri = new Uri("http://localhost:1179/callback"),
+                AuthorizationRedirectDelegate = HandleAuthorizationUrlAsync,
+            },
+        }, HttpClient, LoggerFactory);
+
+        var ex = await Assert.ThrowsAsync<McpException>(() => McpClient.CreateAsync(
+            transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken));
+
+        Assert.Contains("Resource URI in metadata", ex.Message);
+    }
+
     [Fact]
     public async Task CanAuthenticate_WithAuthorizationServerPathInsertionMetadata()
     {
diff --git a/tests/ModelContextProtocol.TestOAuthServer/Program.cs b/tests/ModelContextProtocol.TestOAuthServer/Program.cs
@@ -67,6 +67,14 @@ public Program(ILoggerProvider? loggerProvider = null, IConnectionListenerFactor
     /// </remarks>
     public bool ClientIdMetadataDocumentSupported { get; set; } = true;
 
+    /// <summary>
+    /// Gets or sets a value indicating whether the authorization server requires a resource parameter.
+    /// </summary>
+    /// <remarks>
+    /// The default value is <c>true</c>.
+    /// </remarks>
+    public bool RequireResource { get; set; } = true;
+
     public HashSet<string> DisabledMetadataPaths { get; } = new(StringComparer.OrdinalIgnoreCase);
     public IReadOnlyCollection<string> MetadataRequests => _metadataRequests.ToArray();
 
@@ -290,7 +298,7 @@ IResult HandleMetadataRequest(HttpContext context, string? issuerPath = null)
             }
 
             // Validate resource in accordance with RFC 8707
-            if (string.IsNullOrEmpty(resource) || !ValidResources.Contains(resource))
+            if (RequireResource && (string.IsNullOrEmpty(resource) || !ValidResources.Contains(resource)))
             {
                 return Results.Redirect($"{redirect_uri}?error=invalid_target&error_description=The+specified+resource+is+not+valid&state={state}");
             }
@@ -338,7 +346,7 @@ IResult HandleMetadataRequest(HttpContext context, string? issuerPath = null)
 
             // Validate resource in accordance with RFC 8707
             var resource = form["resource"].ToString();
-            if (string.IsNullOrEmpty(resource) || !ValidResources.Contains(resource))
+            if (RequireResource && (string.IsNullOrEmpty(resource) || !ValidResources.Contains(resource)))
             {
                 return Results.BadRequest(new OAuthErrorResponse
                 {

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,14 @@ public Program(ILoggerProvider? loggerProvider = null, IConnectionListenerFactor`
`67`	`67`	`/// </remarks>`
`68`	`68`	`public bool ClientIdMetadataDocumentSupported { get; set; } = true;`
`69`	`69`
	`70`	`+ /// <summary>`
	`71`	`+ /// Gets or sets a value indicating whether the authorization server requires a resource parameter.`
	`72`	`+ /// </summary>`
	`73`	`+ /// <remarks>`
	`74`	`+ /// The default value is <c>true</c>.`
	`75`	`+ /// </remarks>`
	`76`	`+ public bool RequireResource { get; set; } = true;`
	`77`	`+`
`70`	`78`	`public HashSet<string> DisabledMetadataPaths { get; } = new(StringComparer.OrdinalIgnoreCase);`
`71`	`79`	`public IReadOnlyCollection<string> MetadataRequests => _metadataRequests.ToArray();`
`72`	`80`
`@@ -290,7 +298,7 @@ IResult HandleMetadataRequest(HttpContext context, string? issuerPath = null)`
`290`	`298`	`}`
`291`	`299`
`292`	`300`	`// Validate resource in accordance with RFC 8707`
`293`		`- if (string.IsNullOrEmpty(resource) \|\| !ValidResources.Contains(resource))`
	`301`	`+ if (RequireResource && (string.IsNullOrEmpty(resource) \|\| !ValidResources.Contains(resource)))`
`294`	`302`	`{`
`295`	`303`	`return Results.Redirect($"{redirect_uri}?error=invalid_target&error_description=The+specified+resource+is+not+valid&state={state}");`
`296`	`304`	`}`
`@@ -338,7 +346,7 @@ IResult HandleMetadataRequest(HttpContext context, string? issuerPath = null)`
`338`	`346`
`339`	`347`	`// Validate resource in accordance with RFC 8707`
`340`	`348`	`var resource = form["resource"].ToString();`
`341`		`- if (string.IsNullOrEmpty(resource) \|\| !ValidResources.Contains(resource))`
	`349`	`+ if (RequireResource && (string.IsNullOrEmpty(resource) \|\| !ValidResources.Contains(resource)))`
`342`	`350`	`{`
`343`	`351`	`return Results.BadRequest(new OAuthErrorResponse`
`344`	`352`	`{`