Skip to content

oauth: use requested scopes instead of all supported scope #590

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
howardjohn wants to merge 3 commits into from
Closed

oauth: use requested scopes instead of all supported scope #590

howardjohn wants to merge 3 commits into from
+6 −2

Conversation

@howardjohn
Copy link
Contributor

@howardjohn howardjohn commented Jul 8, 2025

Motivation and Context

This mirrors the logic in client_registration

Fixes #587

Without this change, all supported scopes are requested rather than just the ones suggested by the PRM

How Has This Been Tested?

Manually tested

Breaking Changes

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

@olaservo olaservo requested a review from pcarleton July 16, 2025 04:22
@cliffhall
Copy link
Member

cliffhall commented Jul 23, 2025
edited
Loading

Hi @howardjohn! Thanks for this contribution. It's right, but we also need to do the same thing in useConnection.ts in the handleAuthError function.

Separately, we were considering a solution like this in useConnection

const handleAuthError = async (error: unknown) => {  
  if (is401Error(error)) {  
    const serverAuthProvider = new InspectorOAuthClientProvider(sseUrl);  
      
    // Minimal scope discovery  
    let scope: string | undefined = undefined;  
    try {  
      const metadata = await discoverOAuthMetadata(sseUrl);  
      if (metadata?.scopes_supported) {  
        scope = metadata.scopes_supported.join(" ");  
      }  
    } catch (error) {  
      // Continue without scope if discovery fails  
    }  
  
    const result = await auth(serverAuthProvider, {   
      serverUrl: sseUrl,  
      scope   
    });  
    return result === "AUTHORIZED";  
  }  
  
  return false;  
};

I think we should try and extract the logic into a function that can be used in both places. Would you mind looking into that here?

@olaservo olaservo added the auth Issues and PRs related to authorization label Jul 26, 2025
@btiernay btiernay mentioned this pull request Aug 13, 2025
Closed
9 tasks
@olaservo
Copy link
Member

olaservo commented Jan 18, 2026

Thanks for identifying this OAuth scope issue! Your analysis was correct - the Inspector was using all authorization server scopes instead of the resource-specific scopes.

However, this was comprehensively addressed in PR #701 (merged August 2025), which:

  • Created a reusable discoverScopes() function in auth.ts
  • Fixed both the guided OAuth flow AND the automatic flow in useConnection.ts
  • Added 11 test cases for edge case coverage

Closing this as the issue is already resolved.

This comment was drafted with assistance from Claude (AI).

@olaservo olaservo closed this Jan 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pcarleton pcarleton Awaiting requested review from pcarleton

Assignees

No one assigned

Labels

auth Issues and PRs related to authorization

Projects

None yet

Milestone

No milestone

3 participants

@howardjohn @cliffhall @olaservo