Skip to content

feat: unify OAuth scope discovery between automatic and manual flows #701

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 14, 2025
Merged

feat: unify OAuth scope discovery between automatic and manual flows #701

merged 3 commits into from
Aug 14, 2025
+469 −20

Conversation

btiernay
Copy link
Contributor

@btiernay btiernay commented Aug 12, 2025
edited
Loading

OAuth Scope Discovery Unification

Fixes: #580, #587

This PR introduces centralized scope discovery logic through a new discoverScopes function and integrates it across both OAuth authentication flows to ensure consistent scope resolution behavior.

Also related: #705

Implementation Details

New discoverScopes Function:

  • Discovers OAuth scopes from authorization server metadata
  • Prioritizes Protected Resource Metadata scopes over Authorization Server metadata scopes
  • Returns space-separated scope string or undefined if no scopes available
  • Handles discovery failures gracefully with debug logging

Integration Points:

  • Quick Flow (useConnection): Integrates scope discovery in the 401 error handler
  • Guided Flow (OAuthStateMachine): Replaces hardcoded scope logic in authorization redirect step

Before/After Behavior

Flow Type Manual Override Protected Resource Metadata Authorization Server Metadata Scope Resolution Result
BEFORE
Quick Flow Inconsistent
Guided Flow State machine only
AFTER
Quick Flow discoverScopes()
Guided Flow discoverScopes()

Scope Resolution Priority

Both flows now use identical scope resolution logic:

// 1. Manual override takes precedence
let scope = oauthScope?.trim();
if (!scope) {
  // 2. Discover from metadata with PRM preference
  scope = await discoverScopes(serverUrl, resourceMetadata);
}

The discoverScopes function implements the priority hierarchy

Test Coverage

Added test coverage ensures correct behavior across scenarios including resource metadata preference, OAuth fallback, URL normalization, and error handling.

@btiernay btiernay force-pushed the feat/oauth-scope-discovery-consistency branch 24 times, most recently from 9c3daec to cec765c Compare August 12, 2025 22:23
@btiernay btiernay marked this pull request as ready for review August 12, 2025 22:23
@btiernay btiernay mentioned this pull request Aug 13, 2025
Closed
9 tasks
@btiernay btiernay force-pushed the feat/oauth-scope-discovery-consistency branch from cec765c to fc4475f Compare August 13, 2025 13:41
This was referenced Aug 13, 2025
Closed
Open
cliffhall
cliffhall requested changes Aug 14, 2025
View reviewed changes
Copy link
Member

@cliffhall cliffhall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Waiting for test failure fixes, but otherwise looks good.

@cliffhall cliffhall requested a review from olaservo August 14, 2025 17:45
@btiernay
feat: unify OAuth scope discovery between automatic and manual flows
74900fc 
- Add shared discoverScopes function in auth.ts with resource metadata preference
- Update automatic flow (handleAuthError) to use dynamic scope discovery
- Update manual flow (OAuth state machine) to use shared scope discovery logic
- Add comprehensive test suite for discoverScopes function (11 test cases)
- Fix empty array handling to return undefined instead of empty string
- Maintain backward compatibility with existing oauthScope parameter
- All quality gates pass: TypeScript, linting, formatting, and tests

Resolves OAuth scope discovery inconsistency where automatic flow used static
scopes while manual flow used metadata scopes. Both flows now use identical
shared logic with proper resource metadata preference.
@btiernay
fix: failing test from SDK update
34b3953
@btiernay btiernay force-pushed the feat/oauth-scope-discovery-consistency branch from ca6ba87 to 34b3953 Compare August 14, 2025 18:02
@btiernay btiernay requested a review from cliffhall August 14, 2025 18:07
btiernay
btiernay commented Aug 14, 2025
View reviewed changes
client/src/components/__tests__/AuthDebugger.test.tsx
Comment on lines +80 to +98
clientInformation: jest.fn().mockImplementation(async () => {
const serverUrl = "https://example.com/mcp";
const preregisteredKey = `[${serverUrl}] ${SESSION_KEYS.PREREGISTERED_CLIENT_INFORMATION}`;
const preregisteredData = sessionStorage.getItem(preregisteredKey);
if (preregisteredData) {
return JSON.parse(preregisteredData);
}
const dynamicKey = `[${serverUrl}] ${SESSION_KEYS.CLIENT_INFORMATION}`;
const dynamicData = sessionStorage.getItem(dynamicKey);
if (dynamicData) {
return JSON.parse(dynamicData);
}
return undefined;
}),
saveClientInformation: jest.fn().mockImplementation((clientInfo) => {
const serverUrl = "https://example.com/mcp";
const key = `[${serverUrl}] ${SESSION_KEYS.CLIENT_INFORMATION}`;
sessionStorage.setItem(key, JSON.stringify(clientInfo));
}),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After the OAuth scope discovery commits, 2 AuthDebugger tests were failing because the test mocks were too simple. The clientInformation mock always returned undefined instead of checking sessionStorage for preregistered client info, and the saveClientInformation mock did nothing instead of actually saving data. The OAuth flow expected these mocks to behave like the real OAuth client provider by checking sessionStorage for existing client information and saving dynamic registration results when needed. Once we fixed the mocks to simulate this real behavior, the tests started passing again.

cliffhall
cliffhall previously approved these changes Aug 14, 2025
View reviewed changes
Copy link
Member

@cliffhall cliffhall left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 👍 Needs a linter fix in a test, but code is good.

cliffhall
cliffhall approved these changes Aug 14, 2025
View reviewed changes
Copy link
Member

@cliffhall cliffhall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's gooooo!

@cliffhall cliffhall merged commit 24ef319 into modelcontextprotocol:main Aug 14, 2025
5 checks passed
@cliffhall cliffhall mentioned this pull request Aug 14, 2025
Closed
@olaservo olaservo mentioned this pull request Aug 29, 2025
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cliffhall cliffhall cliffhall approved these changes

@olaservo olaservo Awaiting requested review from olaservo

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Authorization URL doesn't contain 'scope' in certain scenario
2 participants
@btiernay @cliffhall