From 6d951485fbf8b366b75df45cf04b2bd957c99ebf Mon Sep 17 00:00:00 2001
From: Anatoly Tarnavsky <anatolyt@gmail.com>
Date: Tue, 12 Aug 2025 23:32:44 +0300
Subject: [PATCH] Fix OAuth scope selection to use resource server scopes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Inspector was incorrectly requesting all scopes from the authorization server's metadata instead of using the resource server's supported scopes. This caused issues with dynamic OAuth clients that don't have access to all authorization server scopes (like public_metadata and private_metadata).

The fix ensures that during the authorization redirect step, we prefer the resource server's scopes_supported over the authorization server's scopes, matching the behavior already present in the client registration step.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 client/src/lib/oauth-state-machine.ts | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/client/src/lib/oauth-state-machine.ts b/client/src/lib/oauth-state-machine.ts
index 618e64533..2b1cb77c1 100644
--- a/client/src/lib/oauth-state-machine.ts
+++ b/client/src/lib/oauth-state-machine.ts
@@ -110,8 +110,11 @@ export const oauthTransitions: Record<OAuthStep, StateTransition> = {
       const clientInformation = context.state.oauthClientInfo!;
 
       let scope: string | undefined = undefined;
-      if (metadata.scopes_supported) {
-        scope = metadata.scopes_supported.join(" ");
+      const scopesSupported =
+        context.state.resourceMetadata?.scopes_supported ||
+        metadata.scopes_supported;
+      if (scopesSupported) {
+        scope = scopesSupported.join(" ");
       }
 
       const { authorizationUrl, codeVerifier } = await startAuthorization(