Rename RequireResource to ExpectResource in TestOAuthServer

jeffhandley · Copilot · jeffhandley · commit e96f4dcb9e20 · 2026-02-24T13:58:32.000-08:00
The property now rejects requests that include a resource parameter when set
to false, so ExpectResource better describes the bidirectional validation.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/tests/ModelContextProtocol.AspNetCore.Tests/OAuth/AuthTests.cs b/tests/ModelContextProtocol.AspNetCore.Tests/OAuth/AuthTests.cs
@@ -586,7 +586,7 @@ await Assert.ThrowsAsync<McpException>(() => McpClient.CreateAsync(
     [Fact]
     public async Task CannotAuthenticate_WhenProtectedResourceMetadataMissingResource()
     {
-        TestOAuthServer.RequireResource = false;
+        TestOAuthServer.ExpectResource = false;
 
         Builder.Services.Configure<McpAuthenticationOptions>(McpAuthenticationDefaults.AuthenticationScheme, options =>
         {
@@ -1051,7 +1051,7 @@ public async Task CanAuthenticate_WithLegacyServerWithoutProtectedResourceMetada
         // 2025-03-26 backcompat: server does NOT serve PRM, but DOES serve auth server metadata.
         // The client should fall back to using the MCP server's origin as the auth server
         // and discover auth metadata from well-known URLs on that origin.
-        TestOAuthServer.RequireResource = false;
+        TestOAuthServer.ExpectResource = false;
 
         // Use JwtBearer as the challenge scheme so the 401 response does NOT include resource_metadata.
         Builder.Services.Configure<AuthenticationOptions>(options => options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme);
@@ -1166,7 +1166,7 @@ public async Task CanAuthenticate_WithLegacyServerUsingDefaultEndpointFallback()
         // 2025-03-26 backcompat: server does NOT serve PRM AND does NOT serve auth server metadata.
         // The client should fall back to default endpoint paths (/authorize, /token, /register)
         // on the MCP server's origin.
-        TestOAuthServer.RequireResource = false;
+        TestOAuthServer.ExpectResource = false;
 
         // Use JwtBearer as the challenge scheme so the 401 response does NOT include resource_metadata.
         Builder.Services.Configure<AuthenticationOptions>(options => options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme);
diff --git a/tests/ModelContextProtocol.TestOAuthServer/Program.cs b/tests/ModelContextProtocol.TestOAuthServer/Program.cs
@@ -68,15 +68,15 @@ public Program(ILoggerProvider? loggerProvider = null, IConnectionListenerFactor
     public bool ClientIdMetadataDocumentSupported { get; set; } = true;
 
     /// <summary>
-    /// Gets or sets a value indicating whether the authorization server requires a resource parameter.
+    /// Gets or sets a value indicating whether the authorization server expects a resource parameter.
     /// When <c>true</c>, the resource parameter must be present and match a valid resource.
     /// When <c>false</c>, the resource parameter must be absent to simulate legacy servers that
     /// do not support RFC 8707 resource indicators.
     /// </summary>
     /// <remarks>
     /// The default value is <c>true</c>.
     /// </remarks>
-    public bool RequireResource { get; set; } = true;
+    public bool ExpectResource { get; set; } = true;
 
     public HashSet<string> DisabledMetadataPaths { get; } = new(StringComparer.OrdinalIgnoreCase);
     public IReadOnlyCollection<string> MetadataRequests => _metadataRequests.ToArray();
@@ -301,8 +301,8 @@ IResult HandleMetadataRequest(HttpContext context, string? issuerPath = null)
             }
 
             // Validate resource in accordance with RFC 8707.
-            // When RequireResource is false, the resource parameter must be absent (legacy mode).
-            if (RequireResource ? (string.IsNullOrEmpty(resource) || !ValidResources.Contains(resource)) : !string.IsNullOrEmpty(resource))
+            // When ExpectResource is false, the resource parameter must be absent (legacy mode).
+            if (ExpectResource ? (string.IsNullOrEmpty(resource) || !ValidResources.Contains(resource)) : !string.IsNullOrEmpty(resource))
             {
                 return Results.Redirect($"{redirect_uri}?error=invalid_target&error_description=The+specified+resource+is+not+valid&state={state}");
             }
@@ -349,9 +349,9 @@ IResult HandleMetadataRequest(HttpContext context, string? issuerPath = null)
             }
 
             // Validate resource in accordance with RFC 8707.
-            // When RequireResource is false, the resource parameter must be absent (legacy mode).
+            // When ExpectResource is false, the resource parameter must be absent (legacy mode).
             var resource = form["resource"].ToString();
-            if (RequireResource ? (string.IsNullOrEmpty(resource) || !ValidResources.Contains(resource)) : !string.IsNullOrEmpty(resource))
+            if (ExpectResource ? (string.IsNullOrEmpty(resource) || !ValidResources.Contains(resource)) : !string.IsNullOrEmpty(resource))
             {
                 return Results.BadRequest(new OAuthErrorResponse
                 {
