Support incremental scope consent (SEP-835) (#1084)

Author: halter73

src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationHandler.cs

@@ -2,6 +2,7 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using Microsoft.Net.Http.Headers;
 using ModelContextProtocol.Authentication;
 using System.Text.Encodings.Web;
 
@@ -185,15 +186,9 @@ protected override Task HandleChallengeAsync(AuthenticationProperties properties
         // Get the absolute URI for the resource metadata
         string rawPrmDocumentUri = GetAbsoluteResourceMetadataUri();
 
-        properties ??= new AuthenticationProperties();
-
-        // Store the resource_metadata in properties in case other handlers need it
-        properties.Items["resource_metadata"] = rawPrmDocumentUri;
-
         // Add the WWW-Authenticate header with Bearer scheme and resource metadata
-        string headerValue = $"Bearer realm=\"{Scheme.Name}\", resource_metadata=\"{rawPrmDocumentUri}\"";
-        Response.Headers.Append("WWW-Authenticate", headerValue);
-
+        string headerValue = $"Bearer resource_metadata=\"{rawPrmDocumentUri}\"";
+        Response.Headers.Append(HeaderNames.WWWAuthenticate, headerValue);
         return base.HandleChallengeAsync(properties);
     }
 

src/ModelContextProtocol.AspNetCore/StreamableHttpHandler.cs

@@ -275,6 +275,7 @@ internal static string MakeNewSessionId()
         RandomNumberGenerator.Fill(buffer);
         return WebEncoders.Base64UrlEncode(buffer);
     }
+
     internal static async Task<JsonRpcMessage?> ReadJsonRpcMessageAsync(HttpContext context)
     {
         // Implementation for reading a JSON-RPC message from the request body
@@ -291,7 +292,6 @@ internal static string MakeNewSessionId()
         return message;
     }
 
-
     internal static Task RunSessionAsync(HttpContext httpContext, McpServer session, CancellationToken requestAborted)
         => session.RunAsync(requestAborted);