Expose OAuth metadata, pass token to API without validation #893
Description
I'm trying to create an MCP server that is simply a wrapper on top of an existing API, for example some Google API. I want the MCP server to expose corresponding authorization metadata (authorization server URL etc.) so the clients using this MCP can prompt the user to authenticate. However, I do not want to validate the Google token myself, and instead I just want to pass it as is to the corresponding Google API, which can do all the necessary validation on its side.
I tried following the ProtectedMcpServer example and was able to expose the authorization metadata, which seems to work pretty well, and my MCP client is able to authenticate and obtain a valid Google access token and send a valid Authorization header to the MCP.
But the issue was that the sample app also tries to validate the token, which fails because the token Google generates is not a valid JWT token (has only one dot in it). I was able to work around that by providing my own TokenHandler which always returns success, then I hit another issue when the framework tries to create an AuthenticationTicket, for which I had to set a Principal object and Success result in the OnMessageReceived event. But now I'm still getting 403 since some authorization is still taking place, and I'm not sure how to disable it, while still keeping OAuth metadata for MCP clients.
Is there any way to get this to work and just let the access token be passed to the underlying API without any additional validation? Or am I doing something completely wrong that I shouldn't be doing, which is not supported and is intentionally made hard to work around?