Definition
Assembly: Microsoft.OData.Mcp.Authentication.dll Namespace: Microsoft.OData.Mcp.Authentication.Models Inheritance: System.ObjectSyntax
Summary
Configuration options for OAuth2 scope-based authorization.Remarks
These options control how OAuth2 scopes are used to authorize access to different MCP tools and operations. Scope-based authorization provides fine-grained access control beyond basic authentication.Constructors
.ctor
Initializes a new instance of the ScopeAuthorizationOptions class.Syntax
.ctor Inherited
Inherited from
objectSyntax
Properties
DefaultRequiredScopes
Gets or sets the default scopes required when no specific requirement is defined.Syntax
Property Value
Type:System.Collections.Generic.List<string>
A collection of scopes required for operations without specific scope requirements.
Remarks
These scopes are used as a fallback when no specific scope requirements are defined for an operation, tool, or entity. This ensures a baseline level of access control.Enabled
Gets or sets a value indicating whether scope-based authorization is enabled.Syntax
Property Value
Type:bool
true if scope-based authorization is enabled; otherwise, false.
Remarks
When enabled, the MCP server will check token scopes before allowing access to tools and operations. When disabled, all authenticated users have access to all available tools.EnforcementBehavior
Gets or sets the behavior when required scopes are missing.Syntax
Property Value
Type:Microsoft.OData.Mcp.Authentication.Models.ScopeEnforcementBehavior
The action to take when a user lacks required scopes.
Remarks
Different behaviors provide different user experiences and security postures. Denying access is most secure, while filtering tools provides a better user experience at the cost of complexity.EntityScopes
Gets or sets the entity-specific scope requirements.Syntax
Property Value
Type:System.Collections.Generic.Dictionary<string, Microsoft.OData.Mcp.Authentication.Models.EntityScopeRequirements>
A mapping of entity types to their required scopes for different operations.
Remarks
This allows different entities to have different access requirements. For example, sensitive entities might require higher-privilege scopes than general-purpose entities.LogAuthorizationDecisions
Gets or sets a value indicating whether to log scope authorization decisions.Syntax
Property Value
Type:bool
true if scope decisions should be logged; otherwise, false.
Remarks
Logging scope decisions helps with troubleshooting authorization issues and provides audit trails for security compliance. However, it may generate significant log volume in high-traffic scenarios.RequiredScopes
Gets or sets the required scopes for different MCP operations.Syntax
Property Value
Type:System.Collections.Generic.Dictionary<string, System.Collections.Generic.List<string>>
A mapping of operation types to their required scopes.
Remarks
This mapping defines which scopes are required for different types of MCP operations. Users must have at least one of the required scopes to perform the operation.ScopeClaimName
Gets or sets the claim name that contains the scopes in JWT tokens.Syntax
Property Value
Type:string
The name of the claim that contains scope information.
Remarks
Different authorization servers use different claim names for scopes. Common values include “scope”, “scp”, and “permissions”. The claim can contain a space-separated string or an array of scope values.ScopeSeparator
Gets or sets the scope separator character for space-separated scope claims.Syntax
Property Value
Type:char
The character used to separate multiple scopes in a single claim value.
Remarks
When scopes are provided as a space-separated string, this character is used to split them into individual scope values. Space is the standard separator according to OAuth2 specifications.ToolScopes
Gets or sets the tool-specific scope requirements.Syntax
Property Value
Type:System.Collections.Generic.Dictionary<string, System.Collections.Generic.List<string>>
A mapping of tool names to their required scopes.
Remarks
This provides fine-grained control over individual MCP tools. Tool-specific requirements override general operation requirements for the specified tools.Methods
Equals Inherited Virtual
Inherited from
objectSyntax
Parameters
| Name | Type | Description |
|---|---|---|
obj | object? | - |
Returns
Type:bool
Equals Inherited
Inherited from
objectSyntax
Parameters
| Name | Type | Description |
|---|---|---|
objA | object? | - |
objB | object? | - |
Returns
Type:bool
GetHashCode Inherited Virtual
Inherited from
objectSyntax
Returns
Type:int
GetRequiredScopesForEntity
Gets the required scopes for a specific entity and operation.Syntax
Parameters
| Name | Type | Description |
|---|---|---|
entityType | string | The entity type name. |
operation | string | The operation being performed on the entity. |
Returns
Type:System.Collections.Generic.IEnumerable<string>
The required scopes, or the default scopes if no specific requirement exists.
GetRequiredScopesForOperation
Gets the required scopes for a specific operation.Syntax
Parameters
| Name | Type | Description |
|---|---|---|
operation | string | The operation name. |
Returns
Type:System.Collections.Generic.IEnumerable<string>
The required scopes, or the default scopes if no specific requirement exists.
GetRequiredScopesForTool
Gets the required scopes for a specific tool.Syntax
Parameters
| Name | Type | Description |
|---|---|---|
toolName | string | The tool name. |
Returns
Type:System.Collections.Generic.IEnumerable<string>
The required scopes, or the default scopes if no specific requirement exists.
GetType Inherited
Inherited from
objectSyntax
Returns
Type:System.Type
MemberwiseClone Inherited
Inherited from
objectSyntax
Returns
Type:object
ReferenceEquals Inherited
Inherited from
objectSyntax
Parameters
| Name | Type | Description |
|---|---|---|
objA | object? | - |
objB | object? | - |
Returns
Type:bool
SetRequiredScopesForOperation
Adds or updates scope requirements for an operation.Syntax
Parameters
| Name | Type | Description |
|---|---|---|
operation | string | The operation name. |
scopes | System.Collections.Generic.IEnumerable<string> | The required scopes for the operation. |
Exceptions
| Exception | Description |
|---|---|
ArgumentException | Thrown when operation is null or whitespace. |
ArgumentNullException | Thrown when scopes is null. |
SetRequiredScopesForTool
Adds or updates scope requirements for a tool.Syntax
Parameters
| Name | Type | Description |
|---|---|---|
toolName | string | The tool name. |
scopes | System.Collections.Generic.IEnumerable<string> | The required scopes for the tool. |
Exceptions
| Exception | Description |
|---|---|
ArgumentException | Thrown when toolName is null or whitespace. |
ArgumentNullException | Thrown when scopes is null. |
ToString Override
Returns a string representation of the scope authorization options.Syntax
Returns
Type:string
A summary of the scope authorization configuration.
ToString Inherited Virtual
Inherited from
objectSyntax
Returns
Type:string?
Validate
Validates the scope authorization options for consistency and completeness.Syntax
Returns
Type:System.Collections.Generic.IEnumerable<string>
A collection of validation errors, or an empty collection if the options are valid.