remove unsure parts

Author: anuchandy

core/Azure.Mcp.Core/src/Areas/Server/Authentication/HttpHost/HttpHostAuthSetupFactory.cs

@@ -40,11 +40,7 @@ public static IHttpHostAuthSetup Create(ServerConfiguration serverConfiguration)
         }
 
         var outboundType = serverConfiguration.OutboundAuthentication?.Type;
-        if (outboundType == OutboundAuthenticationType.JwtObo)
-        {
-            return new JwtOboHttpHostAuthSetup(serverConfiguration);
-        }
-        else if (outboundType == OutboundAuthenticationType.ManagedIdentity)
+        if (outboundType == OutboundAuthenticationType.ManagedIdentity)
         {
             return new JwtHttpHostAuthSetup(serverConfiguration);
         }

core/Azure.Mcp.Core/src/Areas/Server/Authentication/HttpHost/JwtOboHttpHostAuthSetup.cs

@@ -32,7 +32,6 @@ internal sealed class JwtOboHttpHostAuthSetup : IHttpHostAuthSetup
     public JwtOboHttpHostAuthSetup(ServerConfiguration serverConfiguration)
     {
         _serverConfiguration = serverConfiguration ?? throw new ArgumentNullException(nameof(serverConfiguration));
-        ValidateClientCredential(_serverConfiguration.OutboundAuthentication.ClientCredential!);
     }
 
     /// <summary>
@@ -42,22 +41,7 @@ public JwtOboHttpHostAuthSetup(ServerConfiguration serverConfiguration)
     /// <param name="services">The service collection to configure authentication services in.</param>
     public void SetupServices(IServiceCollection services)
     {
-        var inboundAzureAd = _serverConfiguration.InboundAuthentication.AzureAd!;
-        var clientCredential = _serverConfiguration.OutboundAuthentication.ClientCredential!;
-
-        services.Configure<ForwardedHeadersOptions>(options =>
-        {
-            options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
-            options.KnownNetworks.Clear();
-            options.KnownProxies.Clear();
-        });
-
-        services.AddHttpContextAccessor();
-
-        var microsoftIdentityConfig = CreateMicrosoftIdentityConfiguration(inboundAzureAd, clientCredential);
-        services.AddMicrosoftIdentityWebApiAuthentication(microsoftIdentityConfig, "AzureAd")
-            .EnableTokenAcquisitionToCallDownstreamApi()
-            .AddInMemoryTokenCaches();
+        throw new NotImplementedException("anuchan to discuss with svukel (Steven).");
     }
 
     /// <summary>
@@ -81,59 +65,4 @@ public void SetupEndpoints(IEndpointConventionBuilder mcpEndpoints)
     {
         mcpEndpoints.RequireAuthorization();
     }
-
-    /// <summary>
-    /// Creates an IConfiguration instance for Microsoft Identity Web from Azure AD configuration.
-    /// </summary>
-    /// <param name="inboundAzureAd">The inbound Azure AD configuration for token validation.</param>
-    /// <param name="outboundAzureAd">The outbound Azure AD configuration for OBO token acquisition.</param>
-    /// <returns>An IConfiguration instance that Microsoft Identity Web can use.</returns>
-    private static IConfiguration CreateMicrosoftIdentityConfiguration(AzureAdConfig inboundAzureAd, ClientCredentialConfig clientCredentialConfig)
-    {
-        var configurationData = new Dictionary<string, string?>
-        {
-            ["AzureAd:Instance"] = inboundAzureAd.Instance,
-            ["AzureAd:TenantId"] = inboundAzureAd.TenantId,
-            ["AzureAd:ClientId"] = inboundAzureAd.ClientId,
-            ["AzureAd:Audience"] = inboundAzureAd.Audience,
-            ["AzureAd:ClientSecret"] = clientCredentialConfig.Secret
-        };
-
-        return new ConfigurationBuilder()
-            .AddInMemoryCollection(configurationData)
-            .Build();
-    }
-
-    /// <summary>
-    /// Validates client credential configuration and throws for unsupported types.
-    /// Currently only ClientSecret is supported.
-    /// </summary>
-    /// <param name="clientCredential">The client credential to validate.</param>
-    /// <exception cref="ArgumentException">Thrown when ClientSecret is missing.</exception>
-    /// <exception cref="NotImplementedException">Thrown when certificate types are used (not yet implemented).</exception>
-    private static void ValidateClientCredential(ClientCredentialConfig clientCredential)
-    {
-        switch (clientCredential.Kind)
-        {
-            case JwtOboClientCredentialKind.ClientSecret:
-                if (string.IsNullOrWhiteSpace(clientCredential.Secret))
-                {
-                    throw new ArgumentException("ClientSecret is required when ClientCredential.Kind is ClientSecret", nameof(clientCredential));
-                }
-                break;
-
-            case JwtOboClientCredentialKind.CertificateLocal:
-                throw new NotImplementedException(
-                    "ClientCredential.Kind 'CertificateLocal' is not yet implemented. " +
-                    "Currently only 'ClientSecret' is supported for JWT exchange authentication.");
-
-            case JwtOboClientCredentialKind.CertificateKeyVault:
-                throw new NotImplementedException(
-                    "ClientCredential.Kind 'CertificateKeyVault' is not yet implemented. " +
-                    "Currently only 'ClientSecret' is supported for JWT exchange authentication.");
-
-            default:
-                throw new ArgumentException($"Unsupported ClientCredential.Kind '{clientCredential.Kind}'", nameof(clientCredential));
-        }
-    }
 }

core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs

@@ -344,9 +344,9 @@ private IHost CreateHttpHost(ServiceStartOptions serverOptions)
                     authConfig.SetupServices(services);
                     ConfigureServices(services);
                     var outboundType = serverOptions.ServerConfiguration!.OutboundAuthentication.Type;
-                    if (outboundType == OutboundAuthenticationType.JwtPassthrough ||
-                        outboundType == OutboundAuthenticationType.JwtObo)
+                    if (outboundType == OutboundAuthenticationType.JwtPassthrough)
                     {
+                        // Note: similar no-cache for OutboundAuthenticationType.JwtObo when implemented
                         services.AddSingleton<ICacheService, NoCacheService>();
                     }
                     ConfigureMcpServer(services, serverOptions);

core/Azure.Mcp.Core/src/Services/Azure/Authentication/JwtOboCredentialProvider.cs

@@ -40,7 +40,7 @@ public JwtOboCredentialProvider(IHttpContextAccessor httpContextAccessor, IToken
     /// <returns>A TokenCredential that performs JWT exchange.</returns>
     public Task<TokenCredential> CreateAsync(string? tenant = null)
     {
-        return Task.FromResult<TokenCredential>(new JwtOboTokenCredential(_tokenAcquisition, _httpContextAccessor));
+        throw new NotImplementedException("anuchan to discuss with svukel (Steven).");
     }
 
     /// <summary>
@@ -49,60 +49,7 @@ public Task<TokenCredential> CreateAsync(string? tenant = null)
     /// <returns>User identity string extracted from the incoming token, or null if not available.</returns>
     public string? GetCurrentUserId()
     {
-        try
-        {
-            var httpContext = _httpContextAccessor.HttpContext;
-            var principal = httpContext?.User;
-
-            if (principal?.Identity?.IsAuthenticated != true)
-            {
-                throw new InvalidOperationException("User is not authenticated. JWT exchange authentication requires an authenticated user context.");
-            }
-
-            // Extract user object ID using the same pattern as the reference code
-            var userObjectId = ExtractUserObjectId(principal);
-            var tenantId = ExtractTenantId(principal);
-
-            // Combine tenant and user for unique identifier (similar to cache key pattern)
-            if (!string.IsNullOrEmpty(userObjectId))
-            {
-                return !string.IsNullOrEmpty(tenantId)
-                    ? $"{tenantId}_{userObjectId}"
-                    : userObjectId;
-            }
-
-            throw new InvalidOperationException("Unable to extract user object ID from authentication context. Required claims (oid, sub, etc.) are missing from the token.");
-        }
-        catch (Exception ex)
-        {
-            // Throw exception to prevent cache contamination between users
-            // Better to fail the request than risk cross-user data leakage
-            throw new InvalidOperationException("Failed to extract user identity from authentication context. This is required for secure multi-user operations.", ex);
-        }
-    }
-
-    /// <summary>
-    /// Extracts the tenant ID from the ClaimsPrincipal.
-    /// </summary>
-    /// <param name="principal">The ClaimsPrincipal containing user claims.</param>
-    /// <returns>The tenant ID, or null if not found.</returns>
-    private static string? ExtractTenantId(ClaimsPrincipal principal)
-    {
-        return principal.FindFirst("tid")?.Value
-               ?? principal.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid")?.Value;
-    }
-
-    /// <summary>
-    /// Extracts the user object ID from the ClaimsPrincipal.
-    /// </summary>
-    /// <param name="principal">The ClaimsPrincipal containing user claims.</param>
-    /// <returns>The user object ID, or null if not found.</returns>
-    private static string? ExtractUserObjectId(ClaimsPrincipal principal)
-    {
-        return principal.FindFirst("oid")?.Value
-               ?? principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier")?.Value
-               ?? principal.FindFirst(ClaimTypes.NameIdentifier)?.Value
-               ?? principal.FindFirst("sub")?.Value;
+        throw new NotImplementedException("anuchan to discuss with svukel (Steven).");
     }
 
     /// <summary>
@@ -124,87 +71,9 @@ public override AccessToken GetToken(TokenRequestContext requestContext, Cancell
             throw new NotImplementedException("Synchronous token acquisition is not supported. Use GetTokenAsync instead.");
         }
 
-        public override async ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
+        public override ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
         {
-            var httpContext = _httpContextAccessor.HttpContext;
-            if (httpContext == null)
-            {
-                throw new InvalidOperationException("No HTTP context available. This credential can only be used within an HTTP request.");
-            }
-
-            if (requestContext.Scopes == null || requestContext.Scopes.Length == 0)
-            {
-                throw new ArgumentException("Token request context must have at least one scope.", nameof(requestContext));
-            }
-
-            try
-            {
-                var scopes = requestContext.Scopes.ToArray();
-                // This automatically uses the current user's ClaimsPrincipal from HTTP context to perform JWT exchange
-                var accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(scopes);
-
-                if (string.IsNullOrEmpty(accessToken))
-                {
-                    throw new InvalidOperationException("Token acquisition returned null or empty token.");
-                }
-
-                var expiresOn = ExtractJwtExpiration(accessToken);
-
-                return new AccessToken(accessToken, expiresOn);
-            }
-            catch (Exception ex) when (!(ex is InvalidOperationException))
-            {
-                throw new AuthenticationFailedException($"Failed to acquire JWT exchange token: {ex.Message}", ex);
-            }
-        }
-
-        /// <summary>
-        /// Attempts to extract the expiration time from a JWT token.
-        /// </summary>
-        /// <param name="jwt">The JWT token to parse.</param>
-        /// <returns>The expiration time as a DateTimeOffset, or 15 seconds from now if parsing fails.</returns>
-        private static DateTimeOffset ExtractJwtExpiration(string jwt)
-        {
-            try
-            {
-                var parts = jwt.Split('.');
-                if (parts.Length < 2)
-                {
-                    // Invalid JWT format
-                    return DateTimeOffset.UtcNow.AddSeconds(15);
-                }
-
-                string payload = parts[1];
-
-                // Add padding if needed
-                switch (payload.Length % 4)
-                {
-                    case 2:
-                        payload += "==";
-                        break;
-                    case 3:
-                        payload += "=";
-                        break;
-                }
-
-                var payloadBytes = Convert.FromBase64String(payload);
-                var payloadJson = System.Text.Encoding.UTF8.GetString(payloadBytes);
-
-                using var document = JsonDocument.Parse(payloadJson);
-
-                if (document.RootElement.TryGetProperty("exp", out var expElement))
-                {
-                    var expUnix = expElement.GetInt64();
-                    return DateTimeOffset.FromUnixTimeSeconds(expUnix);
-                }
-                // No exp claim found
-                return DateTimeOffset.UtcNow.AddSeconds(15);
-            }
-            catch
-            {
-                // If parsing fails, return short expiration to use fallback
-                return DateTimeOffset.UtcNow.AddSeconds(15);
-            }
+            throw new NotImplementedException("anuchan to discuss with svukel (Steven).");
         }
     }
 }

core/Azure.Mcp.Core/src/Services/Azure/Authentication/TokenCredentialProviderFactory.cs

@@ -53,12 +53,6 @@ public static ITokenCredentialProvider Create(ServerConfiguration serverConfigur
             var httpContextAccessor = serviceProvider.GetRequiredService<IHttpContextAccessor>();
             return new JwtPassthroughCredentialProvider(httpContextAccessor);
         }
-        else if (outboundType == OutboundAuthenticationType.JwtObo)
-        {
-            var httpContextAccessor = serviceProvider.GetRequiredService<IHttpContextAccessor>();
-            var tokenAcquisition = serviceProvider.GetRequiredService<ITokenAcquisition>();
-            return new JwtOboCredentialProvider(httpContextAccessor, tokenAcquisition);
-        }
         else
         {
             throw new NotSupportedException($"Outbound authentication type '{outboundType}' is not supported.");