Skip to content

[client] Fix prioritization of requested Oauth scopes #1324

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

[client] Fix prioritization of requested Oauth scopes #1324

wants to merge 7 commits into from
+146 −4

Conversation

dogacancolak
Copy link

@dogacancolak dogacancolak commented Aug 29, 2025
edited
Loading

Fix OAuth scope handling to prioritize PRM spec's scopes_supported over Authorization Server Metadata spec's scopes_supported, ensuring clients only request resource-specific scopes and preventing authorization rejections in multi-resource environments.

Motivation and Context

Currently, the MCP client prioritizes all scopes from the OAuth authorization server metadata endpoint, which can cause issues in multi-resource environments. This update reverses the priority order: it first checks the Protected Resource Metadata (PRM) endpoint's scopes_supported field to obtain only the necessary scopes for the specific resource, and only falls back to the authorization server metadata if needed.

This addresses issues such as:

  1. Authorization servers supporting scopes for multiple resources (e.g., "resource1:read" and "resource2:read").
  2. Clients not being authorized for all advertised scopes, resulting in rejected authorization requests.

How Has This Been Tested?

Comprehensive test cases were added in tests/client/test_auth.py to cover various scope handling scenarios:

  • PRM scopes are prioritized over OAuth metadata scopes.
  • OAuth metadata scopes are used as fallback when PRM has no scopes.
  • No scope changes when both PRM and OAuth metadata lack scopes.
  • Existing client scope is preserved regardless of metadata.

Breaking Changes

This is a breaking change for applications relying on the previous scope handling behavior. The new implementation aligns with the PRM specification, which states that scopes_supported contains "scope values that are used in authorization requests to request access to this protected resource."

Types of Changes

  • Bug fix: Non-breaking change which fixes an issue.
  • New feature: Non-breaking change which adds functionality.
  • Breaking change: Fix or feature that would cause existing functionality to change.
  • Documentation update

Checklist

  • I have read the Model Context Protocol documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional Context

The core change modifies the _handle_oauth_metadata_response method in src/mcp/client/auth.py to properly prioritize scopes from PRM over OAuth metadata. This ensures clients only request scopes relevant to the specific resource, improving security and reducing authorization rejections.

@dogacancolak dogacancolak marked this pull request as ready for review August 30, 2025 00:25
@dogacancolak dogacancolak requested review from a team as code owners August 30, 2025 00:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pcarleton pcarleton Awaiting requested review from pcarleton pcarleton is a code owner automatically assigned from modelcontextprotocol/python-sdk-auth

@ihrpr ihrpr Awaiting requested review from ihrpr ihrpr is a code owner automatically assigned from modelcontextprotocol/python-sdk

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@dogacancolak