Skip to content

Add support for URL mode elicitation #1021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
halter73 merged 6 commits into from
Dec 5, 2025
Merged

Add support for URL mode elicitation #1021

halter73 merged 6 commits into from
Dec 5, 2025

Conversation

@halter73
Copy link
Contributor

@halter73 halter73 commented Nov 24, 2025
edited
Loading

This PR adds support URL mode elicitation requests defined by SEP-1036 which is for out-of-band server-to-client elicitations that may involve sensitive data the MCP server doesn't want to give to the MCP client or host.

Fixes #750

@halter73 halter73 added this to the 2025-11-25 Spec Compliance milestone Nov 24, 2025
halter73
halter73 commented Nov 24, 2025
View reviewed changes
PederHP
PederHP reviewed Nov 24, 2025
View reviewed changes
@PederHP
Copy link
Member

PederHP commented Nov 24, 2025
edited
Loading

Really like the example. Only downside is it might distract from the fact url mode will usually point at an url that is distinct from the mcp server. I think an ideal sample should be MCP server and separate blazor server with some communication mechanism between them. Just to show it's out of band and the security pattern of the sensitive information never passing through the mcp server. But that's something that can be done later.

@halter73
Copy link
Contributor Author

halter73 commented Nov 24, 2025

Really like the example. Only downside is it might distract from the fact url mode will usually point at an url that is distinct from the mcp server. I think an ideal sample should be MCP server and separate blazor server with some communication mechanism between them. Just to show it's out of band and the security pattern of the sensitive information never passing through the mcp server. But that's something that can be done later.

I accidently pushed the sample. I removed it from this PR. It wasn't fully functional yet, and it didn't use auth for the Blazor form. Later we can add a sample that leverages AddOpenIdConnect and AddCookie pointing to the same OAuth provider as AddMcp, possibly in a different project to show that the URL doesn't need to be hosted by the MCP server. I don't think it's really a problem to have the MCP server host the elicitation URL though. It still serves a purpose of collecting sensitive information from the user without exposing it to the host or client.

stephentoub
stephentoub reviewed Nov 25, 2025
View reviewed changes
This was referenced Nov 25, 2025
Merged
Merged
@halter73
Merge branch 'main' into halter73/750
2c25d7f 
# Conflicts:
#	docs/concepts/elicitation/elicitation.md
#	src/ModelContextProtocol.Core/McpSessionHandler.cs
#	src/ModelContextProtocol.Core/Protocol/ElicitRequestParams.cs
#	src/ModelContextProtocol.Core/Protocol/ElicitationCapability.cs
#	src/ModelContextProtocol.Core/Protocol/NotificationMethods.cs
#	tests/ModelContextProtocol.Tests/Protocol/ElicitationDefaultValuesTests.cs
#	tests/ModelContextProtocol.Tests/Server/McpServerExtensionsTests.cs
@halter73
Update elicitation.md to include UrlElicitationRequiredException
e53abf9
@halter73
Move the logic to populate McpProtocolException.Data into the CreateR…
39c62dc 
…emoteProtocolException method
@halter73
Deflake Server_ShutsDownQuickly_WhenClientIsConnected
a4c7c29 
The client Streamable HTTP transport does not wait on the SSE GET request to complete ConnectAsync,
so there's a test-only race that the server might shutdown before HttpClient even creates
a connection for the parallel GET request that results in a IOException with the message
"The KestrelInMemoryTransport has been shut down."

Regardless, as with the DELETE request, it's not helpful to throw from
DisposeAsync just because there were problems with the optional GET request
@halter73
Update docs/concepts/elicitation/elicitation.md
30842a8
@halter73 halter73 merged commit ae17ba0 into main Dec 5, 2025
17 of 18 checks passed
@halter73 halter73 deleted the halter73/750 branch December 5, 2025 08:03
halter73 added a commit that referenced this pull request Dec 5, 2025
@halter73
Address missed feedback from #1021
bb5b285
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stephentoub stephentoub stephentoub approved these changes

@eiriktsarpalis eiriktsarpalis Awaiting requested review from eiriktsarpalis

@mikekistler mikekistler Awaiting requested review from mikekistler

+1 more reviewer

@PederHP PederHP PederHP left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2025-11-25 Spec Compliance

Development

Successfully merging this pull request may close these issues.

SEP-1036: Add support for URL Mode Elicitation for secure out-of-band interactions

4 participants

@halter73 @PederHP @stephentoub