Skip to content

fix(mcp): request refresh token scope#34125

Merged
rekram1-node merged 1 commit into
devfrom
mcp-oauth-scopes
Jun 27, 2026
Merged

fix(mcp): request refresh token scope#34125
rekram1-node merged 1 commit into
devfrom
mcp-oauth-scopes

Conversation

@rekram1-node

@rekram1-node rekram1-node commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • backport MCP SEP-2207 scope selection to the stable TypeScript SDK patch
  • append offline_access only when the authorization server advertises it and the client supports refresh tokens
  • use the resolved scope consistently for dynamic registration and browser authorization
  • match offline_access as a complete scope token before adding prompt=consent

This preserves MCP resource-scope precedence rather than allowing configured scopes to override server-advertised scopes. It addresses the refresh-token case reported in #34034 while following the upstream SDK implementation from modelcontextprotocol/typescript-sdk#1523.

Closes #34034

Test plan

  • bun test test/mcp/oauth-provider.test.ts
  • bun typecheck
  • clean Bun reinstall of the patched dependency
  • ESM and CJS syntax checks
  • pristine SDK 1.29.0 patch application check

@rekram1-node rekram1-node merged commit 36c416e into dev Jun 27, 2026
10 checks passed
@rekram1-node rekram1-node deleted the mcp-oauth-scopes branch June 27, 2026 03:27
BenGu3 pushed a commit to BenGu3/opencode that referenced this pull request Jun 27, 2026
@rekram1-node @BenGu3
fix(mcp): request refresh token scope (anomalyco#34125)
3fa1825
@mroffmix mroffmix mentioned this pull request Jun 27, 2026
Closed
6 tasks
josechifflet pushed a commit to josechifflet/opencode that referenced this pull request Jun 27, 2026
@rekram1-node @josechifflet
fix(mcp): request refresh token scope (anomalyco#34125)
28aa122 
(cherry picked from commit 36c416e)
github-actions Bot pushed a commit to iwwadigital/opencode that referenced this pull request Jun 27, 2026
@rekram1-node
fix(mcp): request refresh token scope (anomalyco#34125)
db12cdc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

MCP OAuth: config scope is ignored when the resource server advertises scopes offline_access can't be requested

1 participant

@rekram1-node