Replies: 3 comments 3 replies
-
|
I tried the default Authentication boilerplate: Program.cs Tool.cs [McpServerTool, Description("It prints Hello World!")]
[Authorize]
public static string HelloWorld() => "Hello World!";but it doesnt work, I think the authentication framework is not yet supported |
Beta Was this translation helpful? Give feedback.
-
|
Yes maybe, i am also waiting to find a good solution for authentication and authorizations. |
Beta Was this translation helpful? Give feedback.
-
|
While custom bearer auth works. I cant find a way to access the ClaimsPrincipal or even just the userId inside the tool call Update: Got it, however pls support this natively, maybe by accrpting ClaimsPrincial as param? [McpServerToolType]
public static class EchoTool
{
[McpServerTool(ReadOnly = true), Description("Echoes the message back to the client.")]
public static async Task<string> Echo(IHttpContextAccessor accessor, string message)
{
var userId = accessor.HttpContext?.User.Claims.SingleOrDefault(x => x.Type == ClaimTypes.NameIdentifier)?.Value;
return $"hello {message}";
}
} |
Beta Was this translation helpful? Give feedback.
-
|
@coronabytes How are you using the IHttpContextAccessor in the tool? When I try to use it the httpcontext inside is null. Seems like the tool is on a different scope than the http call itself. |
Beta Was this translation helpful? Give feedback.
-
|
I think |
Beta Was this translation helpful? Give feedback.
-
|
I figure it out using Microsoft.AspNetCore.Http;
namespace Company.Product.Mcp.Server.Authentication;
public class AuthorizationMiddleware
{
private readonly RequestDelegate _next;
public AuthorizationMiddleware(RequestDelegate next)
{
_next = next;
}
public async Task InvokeAsync(HttpContext context)
{
string token = GetToken(context);
if (!ValidateToken(token))
{
context.Response.StatusCode = StatusCodes.Status401Unauthorized;
await context.Response.WriteAsync("Invalid or missing token.");
return;
}
await _next(context); // Token is present, continue
}
private string GetToken(HttpContext context)
{
if (!context.Request.Headers.TryGetValue("Authorization", out var tokenValue))
{
return null;
}
var token = tokenValue.ToString();
// TODO: Remove this.. MCP Inspector v0.14.3 does not have options to send tokens without "Bearer " prefix:
// https://github.com/modelcontextprotocol/inspector/issues/249
// I use it as a workaround to be able to test the MCP server with the Inspector.
token = token.Replace("Bearer ", string.Empty, StringComparison.OrdinalIgnoreCase);
return token;
}
private bool ValidateToken(string token)
{
// TODO Logic to validate the token
return false;
}
} app.UseMiddleware<AuthorizationMiddleware>(); |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Pre-submission Checklist
Question Category
Your Question
How can we add Authentication And Authorization in MCP, just like we add in our API, this make our api authorize and give us the identity of user, how can we do same thing with MCP in dotnet
Beta Was this translation helpful? Give feedback.
All reactions