Move logic from Auth Server Metadata handler to PRM handler

Author: dogacancolak

src/mcp/client/auth.py

@@ -273,6 +273,23 @@ async def _handle_protected_resource_response(self, response: httpx.Response) ->
                 self.context.protected_resource_metadata = metadata
                 if metadata.authorization_servers:
                     self.context.auth_server_url = str(metadata.authorization_servers[0])
+
+                # Only set scope if client_metadata.scope is None
+                # Per MCP spec, priority order:
+                # 1. Use scope from WWW-Authenticate header (if provided)
+                # 2. Use all scopes from PRM scopes_supported (if available)
+                # 3. Omit scope parameter if neither is available
+                if self.context.client_metadata.scope is None:
+                    if self.context.www_authenticate_scope is not None:
+                        # Priority 1: WWW-Authenticate header scope
+                        self.context.client_metadata.scope = self.context.www_authenticate_scope
+                    elif self.context.protected_resource_metadata.scopes_supported is not None:
+                        # Priority 2: PRM scopes_supported
+                        self.context.client_metadata.scope = " ".join(
+                            self.context.protected_resource_metadata.scopes_supported
+                        )
+                    # Priority 3: Omit scope parameter
+
             except ValidationError:
                 pass
 
@@ -504,23 +521,6 @@ async def _handle_oauth_metadata_response(self, response: httpx.Response) -> Non
         metadata = OAuthMetadata.model_validate_json(content)
         self.context.oauth_metadata = metadata
 
-        # Only set scope if client_metadata.scope is None
-        # Per MCP spec, priority order:
-        # 1. Use scope from WWW-Authenticate header (if provided)
-        # 2. Use all scopes from PRM scopes_supported (if available)
-        # 3. Omit scope parameter if neither is available
-        if self.context.client_metadata.scope is None:
-            if self.context.www_authenticate_scope is not None:
-                # Priority 1: WWW-Authenticate header scope
-                self.context.client_metadata.scope = self.context.www_authenticate_scope
-            elif (
-                self.context.protected_resource_metadata is not None
-                and self.context.protected_resource_metadata.scopes_supported is not None
-            ):
-                # Priority 2: PRM scopes_supported
-                self.context.client_metadata.scope = " ".join(self.context.protected_resource_metadata.scopes_supported)
-            # Priority 3: Omit scope parameter
-
     async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.Request, httpx.Response]:
         """HTTPX auth flow integration."""
         async with self.context.lock:

tests/client/test_auth.py

@@ -102,22 +102,28 @@ def oauth_metadata_response():
 
 
 @pytest.fixture
-def prm_metadata():
-    """PRM metadata with scopes."""
-    return ProtectedResourceMetadata(
-        resource=AnyHttpUrl("https://api.example.com/v1/mcp"),
-        authorization_servers=[AnyHttpUrl("https://auth.example.com")],
-        scopes_supported=["resource:read", "resource:write"],
+def prm_metadata_response():
+    """PRM metadata response with scopes."""
+    return httpx.Response(
+        200,
+        content=(
+            b'{"resource": "https://api.example.com/v1/mcp", '
+            b'"authorization_servers": ["https://auth.example.com"], '
+            b'"scopes_supported": ["resource:read", "resource:write"]}'
+        ),
     )
 
 
 @pytest.fixture
-def prm_metadata_without_scopes():
-    """PRM metadata without scopes."""
-    return ProtectedResourceMetadata(
-        resource=AnyHttpUrl("https://api.example.com/v1/mcp"),
-        authorization_servers=[AnyHttpUrl("https://auth.example.com")],
-        scopes_supported=None,
+def prm_metadata_without_scopes_response():
+    """PRM metadata response without scopes."""
+    return httpx.Response(
+        200,
+        content=(
+            b'{"resource": "https://api.example.com/v1/mcp", '
+            b'"authorization_servers": ["https://auth.example.com"], '
+            b'"scopes_supported": null}'
+        ),
     )
 
 
@@ -437,20 +443,16 @@ async def test_handle_metadata_response_success(self, oauth_provider: OAuthClien
     async def test_prioritize_www_auth_scope_over_prm(
         self,
         oauth_provider_without_scope: OAuthClientProvider,
-        oauth_metadata_response: httpx.Response,
-        prm_metadata: ProtectedResourceMetadata,
+        prm_metadata_response: httpx.Response,
     ):
         """Test that WWW-Authenticate scope is prioritized over PRM scopes."""
         provider = oauth_provider_without_scope
 
-        # Set up PRM metadata with scopes
-        provider.context.protected_resource_metadata = prm_metadata
-
         # Set WWW-Authenticate scope (priority 1)
         provider.context.www_authenticate_scope = "special:scope from:www-authenticate"
 
-        # Process the OAuth metadata
-        await provider._handle_oauth_metadata_response(oauth_metadata_response)
+        # Process the PRM metadata
+        await provider._handle_protected_resource_response(prm_metadata_response)
 
         # Verify that WWW-Authenticate scope is used (not PRM scopes)
         assert provider.context.client_metadata.scope == "special:scope from:www-authenticate"
@@ -459,17 +461,13 @@ async def test_prioritize_www_auth_scope_over_prm(
     async def test_prioritize_prm_scopes_when_no_www_auth_scope(
         self,
         oauth_provider_without_scope: OAuthClientProvider,
-        oauth_metadata_response: httpx.Response,
-        prm_metadata: ProtectedResourceMetadata,
+        prm_metadata_response: httpx.Response,
     ):
         """Test that PRM scopes are prioritized when WWW-Authenticate header has no scopes."""
         provider = oauth_provider_without_scope
 
-        # Set up PRM metadata with specific scopes
-        provider.context.protected_resource_metadata = prm_metadata
-
-        # Process the OAuth metadata (no WWW-Authenticate scope)
-        await provider._handle_oauth_metadata_response(oauth_metadata_response)
+        # Process the PRM metadata (no WWW-Authenticate scope)
+        await provider._handle_protected_resource_response(prm_metadata_response)
 
         # Verify that PRM scopes are used
         assert provider.context.client_metadata.scope == "resource:read resource:write"
@@ -478,17 +476,13 @@ async def test_prioritize_prm_scopes_when_no_www_auth_scope(
     async def test_omit_scope_when_no_prm_scopes_or_www_auth(
         self,
         oauth_provider_without_scope: OAuthClientProvider,
-        oauth_metadata_response: httpx.Response,
-        prm_metadata_without_scopes: ProtectedResourceMetadata,
+        prm_metadata_without_scopes_response: httpx.Response,
     ):
         """Test that scope is omitted when PRM has no scopes and WWW-Authenticate doesn't specify scope."""
         provider = oauth_provider_without_scope
 
-        # Set up PRM metadata without scopes
-        provider.context.protected_resource_metadata = prm_metadata_without_scopes
-
-        # Process the OAuth metadata (no WWW-Authenticate scope set)
-        await provider._handle_oauth_metadata_response(oauth_metadata_response)
+        # Process the PRM metadata (no WWW-Authenticate scope set)
+        await provider._handle_protected_resource_response(prm_metadata_without_scopes_response)
 
         # Verify that scope is omitted
         assert provider.context.client_metadata.scope is None
@@ -497,20 +491,16 @@ async def test_omit_scope_when_no_prm_scopes_or_www_auth(
     async def test_preserve_existing_client_scope(
         self,
         oauth_provider: OAuthClientProvider,
-        oauth_metadata_response: httpx.Response,
-        prm_metadata: ProtectedResourceMetadata,
+        prm_metadata_response: httpx.Response,
     ):
         """Test that existing client scope is preserved regardless of metadata."""
         provider = oauth_provider
 
         # Set WWW-Authenticate scope
         provider.context.www_authenticate_scope = "special:scope from:www-authenticate"
 
-        # Set up PRM metadata with scopes
-        provider.context.protected_resource_metadata = prm_metadata
-
         # Process the OAuth metadata
-        await provider._handle_oauth_metadata_response(oauth_metadata_response)
+        await provider._handle_protected_resource_response(prm_metadata_response)
 
         # Verify that predefined scope is preserved
         assert provider.context.client_metadata.scope == "read write"