Proxy OAuth endpoints through MCP server in legacy auth test

Update CanAuthenticate_WithLegacyServerWithoutProtectedResourceMetadata to
use McpServerUrl for auth metadata endpoints and proxy OAuth requests to the
real OAuth server, matching the pattern used by the endpoint fallback test.

Update TestOAuthServer RequireResource=false to reject requests that include
a resource parameter, ensuring the client correctly omits it in legacy mode.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jeffhandley

tests/ModelContextProtocol.AspNetCore.Tests/OAuth/AuthTests.cs

@@ -1064,6 +1064,9 @@ public async Task CanAuthenticate_WithLegacyServerWithoutProtectedResourceMetada
 
         await using var app = Builder.Build();
 
+        // Capture HttpClient for use in the proxy middleware.
+        var httpClient = HttpClient;
+
         app.Use(async (context, next) =>
         {
             // Return 404 for PRM to simulate a legacy server that doesn't support RFC 9728.
@@ -1073,7 +1076,7 @@ public async Task CanAuthenticate_WithLegacyServerWithoutProtectedResourceMetada
                 return;
             }
 
-            // Serve auth server metadata pointing to the real OAuth server endpoints.
+            // Serve auth server metadata pointing to the MCP server's own endpoints.
             // In a real 2025-03-26 deployment, the MCP server itself would be the auth server.
             if (context.Request.Path.StartsWithSegments("/.well-known/oauth-authorization-server") ||
                 context.Request.Path.StartsWithSegments("/.well-known/openid-configuration"))
@@ -1082,9 +1085,9 @@ public async Task CanAuthenticate_WithLegacyServerWithoutProtectedResourceMetada
                 await context.Response.WriteAsync($$"""
                     {
                         "issuer": "{{OAuthServerUrl}}",
-                        "authorization_endpoint": "{{OAuthServerUrl}}/authorize",
-                        "token_endpoint": "{{OAuthServerUrl}}/token",
-                        "registration_endpoint": "{{OAuthServerUrl}}/register",
+                        "authorization_endpoint": "{{McpServerUrl}}/authorize",
+                        "token_endpoint": "{{McpServerUrl}}/token",
+                        "registration_endpoint": "{{McpServerUrl}}/register",
                         "response_types_supported": ["code"],
                         "grant_types_supported": ["authorization_code", "refresh_token"],
                         "token_endpoint_auth_methods_supported": ["client_secret_post"],
@@ -1094,6 +1097,45 @@ await context.Response.WriteAsync($$"""
                 return;
             }
 
+            // Proxy OAuth endpoints to the real OAuth server.
+            // In a real 2025-03-26 deployment, the MCP server itself would host these endpoints.
+            var path = context.Request.Path.Value;
+            if (path is "/authorize" or "/token" or "/register")
+            {
+                var targetUrl = $"{OAuthServerUrl}{path}{context.Request.QueryString}";
+                using var proxyRequest = new HttpRequestMessage(new HttpMethod(context.Request.Method), targetUrl);
+
+                if (context.Request.ContentLength > 0 || context.Request.ContentType is not null)
+                {
+                    proxyRequest.Content = new StreamContent(context.Request.Body);
+                    if (context.Request.ContentType is not null)
+                    {
+                        proxyRequest.Content.Headers.ContentType = System.Net.Http.Headers.MediaTypeHeaderValue.Parse(context.Request.ContentType);
+                    }
+                }
+
+                if (context.Request.Headers.Authorization.Count > 0)
+                {
+                    proxyRequest.Headers.TryAddWithoutValidation("Authorization", context.Request.Headers.Authorization.ToString());
+                }
+
+                using var response = await httpClient.SendAsync(proxyRequest);
+                context.Response.StatusCode = (int)response.StatusCode;
+
+                if (response.Headers.Location is not null)
+                {
+                    context.Response.Headers.Location = response.Headers.Location.ToString();
+                }
+
+                if (response.Content.Headers.ContentType is not null)
+                {
+                    context.Response.ContentType = response.Content.Headers.ContentType.ToString();
+                }
+
+                await response.Content.CopyToAsync(context.Response.Body);
+                return;
+            }
+
             await next();
         });
 

tests/ModelContextProtocol.TestOAuthServer/Program.cs

@@ -69,6 +69,9 @@ public Program(ILoggerProvider? loggerProvider = null, IConnectionListenerFactor
 
     /// <summary>
     /// Gets or sets a value indicating whether the authorization server requires a resource parameter.
+    /// When <c>true</c>, the resource parameter must be present and match a valid resource.
+    /// When <c>false</c>, the resource parameter must be absent to simulate legacy servers that
+    /// do not support RFC 8707 resource indicators.
     /// </summary>
     /// <remarks>
     /// The default value is <c>true</c>.
@@ -297,8 +300,9 @@ IResult HandleMetadataRequest(HttpContext context, string? issuerPath = null)
                 return Results.Redirect($"{redirect_uri}?error=invalid_request&error_description=Only+S256+code_challenge_method+is+supported&state={state}");
             }
 
-            // Validate resource in accordance with RFC 8707
-            if (RequireResource && (string.IsNullOrEmpty(resource) || !ValidResources.Contains(resource)))
+            // Validate resource in accordance with RFC 8707.
+            // When RequireResource is false, the resource parameter must be absent (legacy mode).
+            if (RequireResource ? (string.IsNullOrEmpty(resource) || !ValidResources.Contains(resource)) : !string.IsNullOrEmpty(resource))
             {
                 return Results.Redirect($"{redirect_uri}?error=invalid_target&error_description=The+specified+resource+is+not+valid&state={state}");
             }
@@ -344,9 +348,10 @@ IResult HandleMetadataRequest(HttpContext context, string? issuerPath = null)
                     type: "https://tools.ietf.org/html/rfc6749#section-5.2");
             }
 
-            // Validate resource in accordance with RFC 8707
+            // Validate resource in accordance with RFC 8707.
+            // When RequireResource is false, the resource parameter must be absent (legacy mode).
             var resource = form["resource"].ToString();
-            if (RequireResource && (string.IsNullOrEmpty(resource) || !ValidResources.Contains(resource)))
+            if (RequireResource ? (string.IsNullOrEmpty(resource) || !ValidResources.Contains(resource)) : !string.IsNullOrEmpty(resource))
             {
                 return Results.BadRequest(new OAuthErrorResponse
                 {