Add remote HTTP server mode with OAuth authentication and downstream token acquisition

- Add RunAsRemoteHttpService and OutgoingAuthStrategy options to enable MCP server to run as a remote HTTP service
- Introduce ITokenProvider abstraction for dependency injection of downstream authentication tokens and credentials
- Add support for On-Behalf-Of (OBO) token flow and hosting environment identity modes for outgoing authentication
- Implement OAuth Protected Resource Metadata endpoint at /.well-known/oauth-protected-resource with WWW-Authenticate challenge
- Add Visual Studio launch profile for debugging remote MCP server with Microsoft.Identity.Web configuration
- Modernize HTTP host creation using WebApplicationBuilder with authentication and authorization middleware

Author: vukelich

Directory.Packages.props

@@ -68,6 +68,9 @@
     <PackageVersion Include="Microsoft.Extensions.Configuration" Version="9.0.9" />
     <PackageVersion Include="Microsoft.Extensions.Configuration.EnvironmentVariables" Version="9.0.9" />
     <PackageVersion Include="Microsoft.Extensions.Configuration.Json" Version="9.0.9" />
+    <PackageVersion Include="Microsoft.Identity.Abstractions" Version="9.5.0" />
+    <PackageVersion Include="Microsoft.Identity.Web" Version="3.14.0" />
+    <PackageVersion Include="Microsoft.Identity.Web.Azure" Version="3.14.0" />
     <PackageVersion Include="Microsoft.HybridRow" Version="1.1.0-preview3" />
     <PackageVersion Include="Microsoft.Azure.Cosmos.Aot" Version="0.1.4-preview.2" />
     <PackageVersion Include="Microsoft.Azure.Mcp.AzTypes.Internal.Compact" Version="0.2.802" />
@@ -78,7 +81,7 @@
     <PackageVersion Include="YamlDotNet" Version="16.3.0" />
     <PackageVersion Include="System.CommandLine" Version="2.0.0-rc.1.25451.107" />
     <PackageVersion Include="System.Formats.Asn1" Version="9.0.9" />
-    <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="8.11.0" />
+    <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="8.14.0" />
     <PackageVersion Include="System.Linq.AsyncEnumerable" Version="10.0.0-rc.1.25451.107" />
     <PackageVersion Include="System.Net.ServerSentEvents" Version="10.0.0-rc.1.25451.107" />
     <PackageVersion Include="System.Numerics.Tensors" Version="9.0.0" />

core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceCollectionExtensions.cs

@@ -64,14 +64,7 @@ public static IServiceCollection AddAzureMcpServer(this IServiceCollection servi
 
         // Register tool loader strategies
         services.AddSingleton<CommandFactoryToolLoader>();
-        services.AddSingleton(sp =>
-        {
-            return new RegistryToolLoader(
-                sp.GetRequiredService<RegistryDiscoveryStrategy>(),
-                sp.GetRequiredService<IOptions<ToolLoaderOptions>>(),
-                sp.GetRequiredService<ILogger<RegistryToolLoader>>()
-            );
-        });
+        services.AddSingleton<RegistryToolLoader>();
 
         services.AddSingleton<SingleProxyToolLoader>();
         services.AddSingleton<CompositeToolLoader>();
@@ -216,7 +209,7 @@ public static IServiceCollection AddAzureMcpServer(this IServiceCollection servi
 
         var mcpServerBuilder = services.AddMcpServer();
 
-        if (serviceStartOptions.EnableInsecureTransports)
+        if (serviceStartOptions.EnableInsecureTransports || serviceStartOptions.RunAsRemoteHttpService)
         {
             mcpServerBuilder.WithHttpTransport();
         }

core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs

@@ -0,0 +1,38 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+using System.Text.Json.Serialization;
+
+namespace Azure.Mcp.Core.Areas.Server.Models;
+
+/// <summary>
+/// OAuth 2.0 protected resource metadata response model. See https://datatracker.ietf.org/doc/rfc9728/.
+/// </summary>
+public sealed class OAuthProtectedResourceMetadata
+{
+    [JsonPropertyName("resource")]
+    public required string Resource { get; init; }
+
+    [JsonPropertyName("authorization_servers")]
+    public required string[] AuthorizationServers { get; init; }
+
+    [JsonPropertyName("scopes_supported")]
+    public required string[] ScopesSupported { get; init; }
+
+    [JsonPropertyName("bearer_methods_supported")]
+    public required string[] BearerMethodsSupported { get; init; }
+
+    [JsonPropertyName("resource_documentation")]
+    public required string ResourceDocumentation { get; init; }
+
+    [JsonPropertyName("resource_signing_alg_values_supported")]
+    public required string[] ResourceSigningAlgValuesSupported { get; init; }
+}
+
+/// <summary>
+/// JSON serializer context for AOT-safe serialization.
+/// </summary>
+[JsonSerializable(typeof(OAuthProtectedResourceMetadata))]
+internal partial class OAuthMetadataJsonContext : JsonSerializerContext
+{
+}

core/Azure.Mcp.Core/src/Areas/Server/Models/OAuthProtectedResourceMetadata.cs

@@ -0,0 +1,28 @@
+using Azure.Identity;
+
+namespace Azure.Mcp.Core.Areas.Server.Options;
+
+public enum OutgoingAuthenticationTypes
+{
+    /// <summary>
+    /// The value is not set and is in a default state. A safe default will
+    /// be chosen based on other settings.
+    /// </summary>
+    NotSet = 0,
+
+    /// <summary>
+    /// Outgoing requests will use the hosting environment's identity resolving
+    /// in the same way as <see cref="DefaultAzureCredential"/>. This is valid
+    /// for all hosting scenarios. This means all outgoing requests will use the
+    /// same identity regardless of the incoming authenticate request identity,
+    /// if any.
+    /// </summary>
+    UseHostingEnvironmentIdentity = 1,
+
+    /// <summary>
+    /// Outgoing requests will be authenticated based on exchanging the incoming
+    /// request's access token for a new access token valid for the downstream
+    /// service. This is only valid for remote MCP server scenarios.
+    /// </summary>
+    UseOnBehalfOf = 2
+}

core/Azure.Mcp.Core/src/Areas/Server/Options/OutgoingAuthenticationTypes.cs

@@ -13,6 +13,8 @@ public static class ServiceOptionDefinitions
     public const string DebugName = "debug";
     public const string EnableInsecureTransportsName = "enable-insecure-transports";
     public const string InsecureDisableElicitationName = "insecure-disable-elicitation";
+    public const string RunAsRemoteHttpServiceName = "run-as-remote-http-service";
+    public const string OutgoingAuthStrategyName = "outgoing-auth-strategy";
 
     public static readonly Option<string> Transport = new($"--{TransportName}")
     {
@@ -83,4 +85,20 @@ public static class ServiceOptionDefinitions
         Description = "Disable elicitation (user confirmation) before allowing high risk commands to run, such as returning Secrets (passwords) from KeyVault.",
         DefaultValueFactory = _ => false
     };
+
+    public static readonly Option<bool> RunAsRemoteHttpService = new(
+        $"--{RunAsRemoteHttpServiceName}")
+    {
+        Required = false,
+        Description = "Run the server as a remote HTTP service requiring authentication and authorization.",
+        DefaultValueFactory = _ => false
+    };
+
+    public static readonly Option<OutgoingAuthenticationTypes> OutgoingAuthStrategy = new(
+        $"--{OutgoingAuthStrategyName}")
+    {
+        Required = false,
+        Description = "Outgoing authentication strategy for Azure service requests. Valid values: NotSet, UseHostingEnvironmentIdentity, UseOnBehalfOf.",
+        DefaultValueFactory = _ => OutgoingAuthenticationTypes.NotSet
+    };
 }

core/Azure.Mcp.Core/src/Areas/Server/Options/ServiceOptionDefinitions.cs

@@ -64,4 +64,18 @@ public class ServiceStartOptions
     /// </summary>
     [JsonPropertyName("insecureDisableElicitation")]
     public bool InsecureDisableElicitation { get; set; } = false;
+
+    /// <summary>
+    /// Gets or sets whether the server should run as a remote HTTP service.
+    /// When true, the server will require authentication and authorization.
+    /// </summary>
+    [JsonPropertyName("runAsRemoteHttpService")]
+    public bool RunAsRemoteHttpService { get; set; } = false;
+
+    /// <summary>
+    /// Gets or sets the outgoing authentication strategy for Azure service requests.
+    /// Determines whether to use hosting environment identity or on-behalf-of flow.
+    /// </summary>
+    [JsonPropertyName("outgoingAuthStrategy")]
+    public OutgoingAuthenticationTypes OutgoingAuthStrategy { get; set; } = OutgoingAuthenticationTypes.NotSet;
 }

core/Azure.Mcp.Core/src/Areas/Server/Options/ServiceStartOptions.cs

@@ -21,6 +21,9 @@
     <PackageReference Include="Azure.ResourceManager" />
     <PackageReference Include="Azure.ResourceManager.ResourceGraph" />
     <PackageReference Include="Microsoft.Extensions.Azure" />
+    <PackageReference Include="Microsoft.Identity.Abstractions" />
+    <PackageReference Include="Microsoft.Identity.Web" />
+    <PackageReference Include="Microsoft.Identity.Web.Azure" />
     <PackageReference Include="ModelContextProtocol.AspNetCore" />
     <PackageReference Include="System.Linq.AsyncEnumerable" />
   </ItemGroup>

core/Azure.Mcp.Core/src/Azure.Mcp.Core.csproj

@@ -0,0 +1,120 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+using Azure.Mcp.Core.Areas.Server.Options;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Identity.Web;
+
+namespace Azure.Mcp.Core.Services.Azure.Authentication;
+
+/// <summary>
+/// Extension methods for configuring Azure authentication services.
+/// </summary>
+public static class AuthenticationServiceCollectionExtensions
+{
+    /// <summary>
+    /// Adds <see cref="IAzureTokenCredentialProvider"/> with lifetime
+    /// <see cref="ServiceLifetime.Singleton"/>to the service collection based on the specified
+    /// <see cref="ServiceStartOptions"/>.
+    /// </summary>
+    /// <param name="services">The service collection.</param>
+    /// <param name="serverOptions">The server options containing the authentication strategy.</param>
+    /// <param name="configuration">
+    /// Configuration required for on-behalf-of authentication. May be <see langword="null"/>
+    /// otherwise.
+    /// </param>
+    /// <returns>The service collection.</returns>
+    /// <exception cref="InvalidOperationException">
+    /// Thrown when the authentication strategy is unsupported or when configuration is required but not provided.
+    /// </exception>
+    /// <remarks>
+    /// This method registers the appropriate <see cref="IAzureTokenCredentialProvider"/> implementation
+    /// based on the <see cref="ServiceStartOptions.OutgoingAuthStrategy"/>:
+    /// <list type="bullet">
+    /// <item><description><see cref="OutgoingAuthenticationTypes.UseHostingEnvironmentIdentity"/> - registers <see cref="SingleIdentityTokenCredentialProvider"/></description></item>
+    /// <item><description><see cref="OutgoingAuthenticationTypes.UseOnBehalfOf"/> - registers <see cref="HttpOnBehalfOfTokenCredentialProvider"/> (requires configuration)</description></item>
+    /// </list>
+    /// </remarks>
+    public static IServiceCollection AddAzureTokenCredentialProvider(
+        this IServiceCollection services,
+        ServiceStartOptions serverOptions,
+        IConfiguration? configuration = null)
+    {
+
+        // ASSUMPTION: validation has already occurred and defaults have been applied in ServiceStartCommand.BindOptions
+        if (serverOptions.OutgoingAuthStrategy == OutgoingAuthenticationTypes.UseHostingEnvironmentIdentity)
+        {
+            services.AddSingleIdentityTokenCredentialProvider();
+        }
+        else if (serverOptions.OutgoingAuthStrategy == OutgoingAuthenticationTypes.UseOnBehalfOf)
+        {
+            if (configuration == null)
+            {
+                throw new InvalidOperationException("Configuration is required for On-Behalf-Of authentication strategy.");
+            }
+            services.AddHttpOnBehalfOfTokenCredentialProvider(configuration);
+        }
+        else
+        {
+            throw new InvalidOperationException($"Unsupported outgoing authentication strategy '{serverOptions.OutgoingAuthStrategy}'.");
+        }
+
+        return services;
+    }
+
+    /// <summary>
+    /// Adds <see cref="SingleIdentityTokenCredentialProvider"/> as a
+    /// <see cref="IAzureTokenCredentialProvider"/> with lifetime <see cref="ServiceLifetime.Singleton"/>
+    /// into the service collection.
+    /// </summary>
+    /// <param name="services">The service collection.</param>
+    /// <returns>The service collection.</returns>
+    /// <remarks>
+    /// <para>
+    /// This method registers the single identity token credential provider which uses the hosting
+    /// environment's identity (e.g., a Managed Identity or a user principal using Azure CLI, Visual
+	/// Studio, etc.).
+    /// </para>
+    /// This method will not override any existing <see cref="IAzureTokenCredentialProvider"/>
+    /// registration. It can be overridden as needed by command line arguments and configurations
+    /// with <see cref="AddAzureTokenCredentialProvider"/>.
+    /// </remarks>
+    public static IServiceCollection AddSingleIdentityTokenCredentialProvider(this IServiceCollection services)
+    {
+        services.TryAddSingleton<IAzureTokenCredentialProvider, SingleIdentityTokenCredentialProvider>();
+        return services;
+    }
+
+    /// <summary>
+    /// Adds <see cref="HttpOnBehalfOfTokenCredentialProvider"/> as a
+    /// <see cref="IAzureTokenCredentialProvider"/> with lifetime <see cref="ServiceLifetime.Singleton"/>
+    /// into the service collection, along with all required dependencies.
+    /// </summary>
+    /// <param name="services">The service collection.</param>
+    /// <param name="configuration">The application configuration containing Azure AD settings.</param>
+    /// <returns>The service collection.</returns>
+    /// <remarks>
+    /// This method will override any existing <see cref="IAzureTokenCredentialProvider"/> registration.
+    /// This is unlike <see cref="AddSingleIdentityTokenCredentialProvider"/>.
+    /// </remarks>
+    private static IServiceCollection AddHttpOnBehalfOfTokenCredentialProvider(
+        this IServiceCollection services,
+        IConfiguration configuration)
+    {
+        // Dependencies - directly in constructor.
+        services.AddHttpContextAccessor();
+
+        // Dependencies - indirectly required to get MicrosoftIdentityTokenCredential.
+        services.AddMicrosoftIdentityWebAppAuthentication(configuration)
+            .EnableTokenAcquisitionToCallDownstreamApi()
+            .AddInMemoryTokenCaches();
+        services.AddMicrosoftIdentityAzureTokenCredential();
+
+        // Register the OBO token provider. This uses AddSingleton (not TryAdd) to override
+        // any default registration, since OBO is an explicit configuration choice.
+        services.AddSingleton<IAzureTokenCredentialProvider, HttpOnBehalfOfTokenCredentialProvider>();
+        return services;
+    }
+}

core/Azure.Mcp.Core/src/Services/Azure/Authentication/AuthenticationServiceCollectionExtensions.cs

@@ -15,20 +15,47 @@ namespace Azure.Mcp.Core.Services.Azure.Authentication;
 /// InteractiveBrowserCredential to provide a seamless authentication experience.
 /// </summary>
 /// <remarks>
+/// <para>
+/// DO NOT INSTANTIATE THIS CLASS DIRECTLY. Use dependency injection to get an instance of
+/// <see cref="TokenCredential"/> from <see cref="IAzureTokenCredentialProvider"/>.
+/// </para>
+/// <para>
 /// The credential chain behavior can be controlled via the AZURE_TOKEN_CREDENTIALS environment variable:
-/// - "dev": Visual Studio → Visual Studio Code → Azure CLI → Azure PowerShell → Azure Developer CLI
-/// - "prod": Environment → Workload Identity → Managed Identity
-/// - Specific credential name (e.g., "AzureCliCredential"): Only that credential
-/// - Not set or empty: Development chain (Environment → Visual Studio → Visual Studio Code → Azure CLI → Azure PowerShell → Azure Developer CLI)
-/// 
+/// </para>
+/// <list type="table">
+/// <listheader>
+/// <term>Value</term>
+/// <description>Behavior</description>
+/// </listheader>
+/// <item>
+/// <term>"dev"</term>
+/// <description>Visual Studio → Visual Studio Code → Azure CLI → Azure PowerShell → Azure Developer CLI</description>
+/// </item>
+/// <item>
+/// <term>"prod"</term>
+/// <description>Environment → Workload Identity → Managed Identity</description>
+/// </item>
+/// <item>
+/// <term>Specific credential name</term>
+/// <description>Only that credential (e.g., "AzureCliCredential")</description>
+/// </item>
+/// <item>
+/// <term>Not set or empty</term>
+/// <description>Development chain (Environment → Visual Studio → Visual Studio Code → Azure CLI → Azure PowerShell → Azure Developer CLI)</description>
+/// </item>
+/// </list>
+/// <para>
 /// By default, production credentials (Workload Identity and Managed Identity) are excluded unless explicitly requested via AZURE_TOKEN_CREDENTIALS="prod".
-/// 
+/// </para>
+/// <para>
 /// Special behavior: When running in VS Code context (VSCODE_PID environment variable is set) and AZURE_TOKEN_CREDENTIALS is not explicitly specified,
 /// Visual Studio Code credential is automatically prioritized first in the chain.
-/// 
+/// </para>
+/// <para>
 /// After the credential chain, Interactive Browser Authentication with Identity Broker is always added as the final fallback.
+/// </para>
 /// </remarks>
-public class CustomChainedCredential(string? tenantId = null, ILogger<CustomChainedCredential>? logger = null) : TokenCredential
+internal class CustomChainedCredential(string? tenantId = null, ILogger<CustomChainedCredential>? logger = null) : TokenCredential
 {
     private TokenCredential? _credential;
     private readonly ILogger<CustomChainedCredential>? _logger = logger;