feat: unify OAuth scope discovery between automatic and manual flows

- Add shared discoverScopes function in auth.ts with resource metadata preference
- Update automatic flow (handleAuthError) to use dynamic scope discovery
- Update manual flow (OAuth state machine) to use shared scope discovery logic
- Add comprehensive test suite for discoverScopes function (11 test cases)
- Fix empty array handling to return undefined instead of empty string
- Maintain backward compatibility with existing oauthScope parameter
- All quality gates pass: TypeScript, linting, formatting, and tests

Resolves OAuth scope discovery inconsistency where automatic flow used static
scopes while manual flow used metadata scopes. Both flows now use identical
shared logic with proper resource metadata preference.

Author: btiernay

client/src/components/__tests__/AuthDebugger.test.tsx

@@ -25,6 +25,7 @@ const mockOAuthMetadata = {
   token_endpoint: "https://oauth.example.com/token",
   response_types_supported: ["code"],
   grant_types_supported: ["authorization_code"],
+  scopes_supported: ["read", "write"],
 };
 
 const mockOAuthClientInfo = {
@@ -56,6 +57,40 @@ import {
 import { OAuthMetadata } from "@modelcontextprotocol/sdk/shared/auth.js";
 import { EMPTY_DEBUGGER_STATE } from "@/lib/auth-types";
 
+// Mock local auth module
+jest.mock("@/lib/auth", () => ({
+  DebugInspectorOAuthClientProvider: jest.fn().mockImplementation(() => ({
+    tokens: jest.fn().mockImplementation(() => Promise.resolve(undefined)),
+    clear: jest.fn().mockImplementation(() => {
+      // Mock the real clear() behavior which removes items from sessionStorage
+      sessionStorage.removeItem("[https://example.com/mcp] mcp_tokens");
+      sessionStorage.removeItem("[https://example.com/mcp] mcp_client_info");
+      sessionStorage.removeItem(
+        "[https://example.com/mcp] mcp_server_metadata",
+      );
+    }),
+    redirectUrl: "http://localhost:3000/oauth/callback/debug",
+    clientMetadata: {
+      redirect_uris: ["http://localhost:3000/oauth/callback/debug"],
+      token_endpoint_auth_method: "none",
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      client_name: "MCP Inspector",
+    },
+    clientInformation: jest.fn(),
+    saveClientInformation: jest.fn(),
+    saveTokens: jest.fn(),
+    redirectToAuthorization: jest.fn(),
+    saveCodeVerifier: jest.fn(),
+    codeVerifier: jest.fn(),
+    saveServerMetadata: jest.fn(),
+    getServerMetadata: jest.fn(),
+  })),
+  discoverScopes: jest.fn().mockResolvedValue("read write" as never),
+}));
+
+import { discoverScopes } from "@/lib/auth";
+
 // Type the mocked functions properly
 const mockDiscoverAuthorizationServerMetadata =
   discoverAuthorizationServerMetadata as jest.MockedFunction<
@@ -75,6 +110,9 @@ const mockDiscoverOAuthProtectedResourceMetadata =
   discoverOAuthProtectedResourceMetadata as jest.MockedFunction<
     typeof discoverOAuthProtectedResourceMetadata
   >;
+const mockDiscoverScopes = discoverScopes as jest.MockedFunction<
+  typeof discoverScopes
+>;
 
 const sessionStorageMock = {
   getItem: jest.fn(),
@@ -103,9 +141,15 @@ describe("AuthDebugger", () => {
     // Suppress console errors in tests to avoid JSDOM navigation noise
     jest.spyOn(console, "error").mockImplementation(() => {});
 
-    mockDiscoverAuthorizationServerMetadata.mockResolvedValue(
-      mockOAuthMetadata,
-    );
+    // Set default mock behaviors with complete OAuth metadata
+    mockDiscoverAuthorizationServerMetadata.mockResolvedValue({
+      issuer: "https://oauth.example.com",
+      authorization_endpoint: "https://oauth.example.com/authorize",
+      token_endpoint: "https://oauth.example.com/token",
+      response_types_supported: ["code"],
+      grant_types_supported: ["authorization_code"],
+      scopes_supported: ["read", "write"],
+    });
     mockRegisterClient.mockResolvedValue(mockOAuthClientInfo);
     mockDiscoverOAuthProtectedResourceMetadata.mockRejectedValue(
       new Error("No protected resource metadata found"),
@@ -427,7 +471,24 @@ describe("AuthDebugger", () => {
       });
     });
 
-    it("should not include scope in authorization URL when scopes_supported is not present", async () => {
+    it("should include scope in authorization URL when scopes_supported is not present", async () => {
+      const updateAuthState =
+        await setupAuthorizationUrlTest(mockOAuthMetadata);
+
+      // Wait for the updateAuthState to be called
+      await waitFor(() => {
+        expect(updateAuthState).toHaveBeenCalledWith(
+          expect.objectContaining({
+            authorizationUrl: expect.stringContaining("scope="),
+          }),
+        );
+      });
+    });
+
+    it("should omit scope from authorization URL when discoverScopes returns undefined", async () => {
+      // Mock discoverScopes to return undefined (no scopes available)
+      mockDiscoverScopes.mockResolvedValueOnce(undefined);
+
       const updateAuthState =
         await setupAuthorizationUrlTest(mockOAuthMetadata);
 

client/src/lib/__tests__/auth.test.ts

@@ -0,0 +1,154 @@
+import { discoverScopes } from "../auth";
+import { discoverAuthorizationServerMetadata } from "@modelcontextprotocol/sdk/client/auth.js";
+
+jest.mock("@modelcontextprotocol/sdk/client/auth.js", () => ({
+  discoverAuthorizationServerMetadata: jest.fn(),
+}));
+
+const mockDiscoverAuth =
+  discoverAuthorizationServerMetadata as jest.MockedFunction<
+    typeof discoverAuthorizationServerMetadata
+  >;
+
+const baseMetadata = {
+  issuer: "https://test.com",
+  authorization_endpoint: "https://test.com/authorize",
+  token_endpoint: "https://test.com/token",
+  response_types_supported: ["code"],
+  grant_types_supported: ["authorization_code"],
+  scopes_supported: ["read", "write"],
+};
+
+describe("discoverScopes", () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  const testCases = [
+    {
+      name: "returns joined scopes from OAuth metadata",
+      mockResolves: baseMetadata,
+      serverUrl: "https://example.com",
+      expected: "read write",
+      expectedCallUrl: "https://example.com/",
+    },
+    {
+      name: "prefers resource metadata over OAuth metadata",
+      mockResolves: baseMetadata,
+      serverUrl: "https://example.com",
+      resourceMetadata: {
+        resource: "https://example.com",
+        scopes_supported: ["admin", "full"],
+      },
+      expected: "admin full",
+    },
+    {
+      name: "falls back to OAuth when resource has empty scopes",
+      mockResolves: baseMetadata,
+      serverUrl: "https://example.com",
+      resourceMetadata: {
+        resource: "https://example.com",
+        scopes_supported: [],
+      },
+      expected: "read write",
+    },
+    {
+      name: "normalizes URL with port and path",
+      mockResolves: baseMetadata,
+      serverUrl: "https://example.com:8080/some/path",
+      expected: "read write",
+      expectedCallUrl: "https://example.com:8080/",
+    },
+    {
+      name: "normalizes URL with trailing slash",
+      mockResolves: baseMetadata,
+      serverUrl: "https://example.com/",
+      expected: "read write",
+      expectedCallUrl: "https://example.com/",
+    },
+    {
+      name: "handles single scope",
+      mockResolves: { ...baseMetadata, scopes_supported: ["admin"] },
+      serverUrl: "https://example.com",
+      expected: "admin",
+    },
+    {
+      name: "prefers resource metadata even with fewer scopes",
+      mockResolves: {
+        ...baseMetadata,
+        scopes_supported: ["read", "write", "admin", "full"],
+      },
+      serverUrl: "https://example.com",
+      resourceMetadata: {
+        resource: "https://example.com",
+        scopes_supported: ["read"],
+      },
+      expected: "read",
+    },
+  ];
+
+  const undefinedCases = [
+    {
+      name: "returns undefined when OAuth discovery fails",
+      mockRejects: new Error("Discovery failed"),
+      serverUrl: "https://example.com",
+    },
+    {
+      name: "returns undefined when OAuth has no scopes",
+      mockResolves: { ...baseMetadata, scopes_supported: [] },
+      serverUrl: "https://example.com",
+    },
+    {
+      name: "returns undefined when scopes_supported missing",
+      mockResolves: (() => {
+        const { scopes_supported, ...rest } = baseMetadata;
+        return rest;
+      })(),
+      serverUrl: "https://example.com",
+    },
+    {
+      name: "returns undefined with resource metadata but OAuth fails",
+      mockRejects: new Error("No OAuth metadata"),
+      serverUrl: "https://example.com",
+      resourceMetadata: {
+        resource: "https://example.com",
+        scopes_supported: ["read", "write"],
+      },
+    },
+  ];
+
+  test.each(testCases)(
+    "$name",
+    async ({
+      mockResolves,
+      serverUrl,
+      resourceMetadata,
+      expected,
+      expectedCallUrl,
+    }) => {
+      mockDiscoverAuth.mockResolvedValue(mockResolves);
+
+      const result = await discoverScopes(serverUrl, resourceMetadata);
+
+      expect(result).toBe(expected);
+      if (expectedCallUrl) {
+        expect(mockDiscoverAuth).toHaveBeenCalledWith(new URL(expectedCallUrl));
+      }
+    },
+  );
+
+  test.each(undefinedCases)(
+    "$name",
+    async ({ mockResolves, mockRejects, serverUrl, resourceMetadata }) => {
+      if (mockRejects) {
+        mockDiscoverAuth.mockRejectedValue(mockRejects);
+      } else {
+        mockDiscoverAuth.mockResolvedValue(mockResolves);
+      }
+
+      const result = await discoverScopes(serverUrl, resourceMetadata);
+
+      expect(result).toBeUndefined();
+    },
+  );
+});

client/src/lib/auth.ts

@@ -6,10 +6,45 @@ import {
   OAuthTokensSchema,
   OAuthClientMetadata,
   OAuthMetadata,
+  OAuthProtectedResourceMetadata,
 } from "@modelcontextprotocol/sdk/shared/auth.js";
+import { discoverAuthorizationServerMetadata } from "@modelcontextprotocol/sdk/client/auth.js";
 import { SESSION_KEYS, getServerSpecificKey } from "./constants";
 import { generateOAuthState } from "@/utils/oauthUtils";
 
+/**
+ * Discovers OAuth scopes from server metadata, with preference for resource metadata scopes
+ * @param serverUrl - The MCP server URL
+ * @param resourceMetadata - Optional resource metadata containing preferred scopes
+ * @returns Promise resolving to space-separated scope string or undefined
+ */
+export const discoverScopes = async (
+  serverUrl: string,
+  resourceMetadata?: OAuthProtectedResourceMetadata,
+): Promise<string | undefined> => {
+  try {
+    const metadata = await discoverAuthorizationServerMetadata(
+      new URL("/", serverUrl),
+    );
+
+    // Prefer resource metadata scopes, but fall back to OAuth metadata if empty
+    const resourceScopes = resourceMetadata?.scopes_supported;
+    const oauthScopes = metadata?.scopes_supported;
+
+    const scopesSupported =
+      resourceScopes && resourceScopes.length > 0
+        ? resourceScopes
+        : oauthScopes;
+
+    return scopesSupported && scopesSupported.length > 0
+      ? scopesSupported.join(" ")
+      : undefined;
+  } catch (error) {
+    console.debug("OAuth scope discovery failed:", error);
+    return undefined;
+  }
+};
+
 export const getClientInformationFromSessionStorage = async ({
   serverUrl,
   isPreregistered,