Skip to content

fix(mcp): request configured OAuth scopes when server advertises scopes#34076

Closed
mroffmix wants to merge 2 commits into
anomalyco:devfrom
mroffmix:mcp-oauth-scope
Closed

fix(mcp): request configured OAuth scopes when server advertises scopes#34076
mroffmix wants to merge 2 commits into
anomalyco:devfrom
mroffmix:mcp-oauth-scope

Conversation

@mroffmix

@mroffmix mroffmix commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown

Issue for this PR

Closes #34034

Type of change

  • Bug fix
  • New feature
  • Refactor / code improvement
  • Documentation

What does this PR do?

The MCP SDK applies the configured oauth.scope only as a last-resort fallback (SEP-835), so when a server advertises its resource scopes the configured scopes are ignored. In particular offline_access is never requested, the authorization server issues no refresh token, and short-lived access tokens force a manual re-auth on every expiry.

This merges the configured clientMetadata.scope with the advertised scopes (deduped, order preserved) in the SDK's scope selection, applied consistently to both dynamic client registration and the authorization request. The change lives in the existing @modelcontextprotocol/sdk patch because the merge has to happen inside the SDK's auth() flow, which exposes no hook for it.

How did you verify your code works?

  • Added a test that drives the SDK auth() flow with advertised scopes plus a config scope and asserts the authorization URL contains the merged set (and that a server advertising no scopes still falls back to the config scope).
  • Manually against a live OAuth MCP server: the authorization URL now includes offline_access/openid on top of the advertised scopes, and mcp-auth.json stores a refresh token.

Screenshots / recordings

Not a UI change.

Checklist

  • I have tested my changes locally
  • I have not included unrelated changes in this PR

@iliamikhailov-c
fix(mcp): request configured OAuth scopes when server advertises scopes
5c912d8 
The MCP SDK uses the configured oauth.scope only as a last-resort
fallback, so when a server advertises its resource scopes the configured
scopes (e.g. openid, offline_access) are dropped and the authorization
server never issues a refresh token.

Merge the configured clientMetadata.scope with the advertised scopes
(deduped, order preserved) so it applies to both dynamic client
registration and the authorization request.
@github-actions github-actions Bot added needs:compliance This means the issue will auto-close after 2 hours. and removed needs:compliance This means the issue will auto-close after 2 hours. labels Jun 26, 2026
@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Thanks for updating your PR! It now meets our contributing guidelines. 👍

@mroffmix

mroffmix commented Jun 27, 2026

Copy link
Copy Markdown
Author

Superseded by #34125, which fixes #34034 by auto-requesting offline_access when the authorization server advertises it. Closing this one — thanks!

@mroffmix mroffmix closed this Jun 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

MCP OAuth: config scope is ignored when the resource server advertises scopes offline_access can't be requested

2 participants

@mroffmix @iliamikhailov-c