Support incremental scope consent (SEP-835)

- Properly handle path segments in issuer path
- Include port in resource comparison

Author: halter73

src/ModelContextProtocol.AspNetCore/Authentication/McpAuthenticationHandler.cs

@@ -185,15 +185,9 @@ protected override Task HandleChallengeAsync(AuthenticationProperties properties
         // Get the absolute URI for the resource metadata
         string rawPrmDocumentUri = GetAbsoluteResourceMetadataUri();
 
-        properties ??= new AuthenticationProperties();
-
-        // Store the resource_metadata in properties in case other handlers need it
-        properties.Items["resource_metadata"] = rawPrmDocumentUri;
-
         // Add the WWW-Authenticate header with Bearer scheme and resource metadata
-        string headerValue = $"Bearer realm=\"{Scheme.Name}\", resource_metadata=\"{rawPrmDocumentUri}\"";
+        string headerValue = $"Bearer resource_metadata=\"{rawPrmDocumentUri}\"";
         Response.Headers.Append("WWW-Authenticate", headerValue);
-
         return base.HandleChallengeAsync(properties);
     }
 

src/ModelContextProtocol.AspNetCore/StreamableHttpHandler.cs

@@ -275,6 +275,7 @@ internal static string MakeNewSessionId()
         RandomNumberGenerator.Fill(buffer);
         return WebEncoders.Base64UrlEncode(buffer);
     }
+
     internal static async Task<JsonRpcMessage?> ReadJsonRpcMessageAsync(HttpContext context)
     {
         // Implementation for reading a JSON-RPC message from the request body
@@ -291,7 +292,6 @@ internal static string MakeNewSessionId()
         return message;
     }
 
-
     internal static Task RunSessionAsync(HttpContext httpContext, McpServer session, CancellationToken requestAborted)
         => session.RunAsync(requestAborted);