Skip to content

fix: set user specified scope in DCR #871

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

fix: set user specified scope in DCR #871

wants to merge 5 commits into from
+65 −21

Conversation

@stdevi
Copy link

@stdevi stdevi commented Oct 15, 2025

Set user specified scope for dynamically registered client and authorization code retrieval.

Motivation and Context

Currently user specified scopes are ignored.
See #863.

How Has This Been Tested?

Tested with Linear MCP.

Breaking Changes

No breaking changes.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally

@cliffhall
Copy link
Member

cliffhall commented Oct 21, 2025
edited
Loading

Hi @stdevi

It would be helpful if you could provide before and after screenshots showing the affected parts of the OAuth debugger when running both Quick and Guided Flows, well as the network tab when running without the OAuth debugger and just using the Connect button.

@cliffhall cliffhall added the waiting on submitter Waiting for the submitter to provide more info label Oct 21, 2025
@stdevi
Copy link
Author

stdevi commented Oct 21, 2025

@cliffhall sure, there are screenshots.

Guided Flows

Before

Scope is not included in the client registration request:

image

Scope is not included in the authorisation URL:

image

After

Scope is included in the client registration request:

image

Scope is included in the authorisation URL:

image

Quick Flows

Before

Scope is not included in the authorisation URL:

image

After

image

Running without the OAuth debugger

Before

image

After

image

@cliffhall
Copy link
Member

cliffhall commented Oct 21, 2025
edited
Loading

@stdevi Thanks for the follow up. However, those last two screenshots (of just using the connect button) look the same. They don't reveal whether the scope was sent or not. We need to see the headers. If you open the network tab on the right instead of the bottom, we'll be able to see all the headers and you can point out the before and after showing that scope was sent.

Screenshot 2025-10-21 at 5 22 28 PM

@stdevi
Copy link
Author

stdevi commented Oct 21, 2025

@cliffhall But "scope" parameter is not required in the Access Token Request https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3

@cliffhall
Copy link
Member

cliffhall commented Oct 21, 2025
edited
Loading

But "scope" parameter is not required in the Access Token Request

@stdevi It was just an example to show you how to display all the headers and request data.

@stdevi
Copy link
Author

stdevi commented Oct 21, 2025

@cliffhall but do we expect to see the "scope" header in the request to /mcp then? I assume that only Authorization Bearer header depends on the OAuth and previously specified scope, but this PR does not affect the bearer.

@cliffhall
Copy link
Member

but do we expect to see the "scope" header in the request to /mcp then? I assume that only Authorization Bearer header depends on the OAuth and previously specified scope, but this PR does not affect the bearer.

It should be in the authorization URL as well as the returned access token. You have to select it in the network tab to see the details.

@stdevi
Copy link
Author

stdevi commented Oct 23, 2025

Got it, here are screenshots for the authorisation request.

Before

image

After

image

But it's problematic to provide screenshots for the token request as MCP servers (including the example-server.modelcontextprotocol.io) often do not return the scope in the token response or return default scopes set by MCP servers, ignoring the provided one.

image image

@cliffhall
Copy link
Member

But it's problematic to provide screenshots for the token request as MCP servers (including the example-server.modelcontextprotocol.io) often do not return the scope in the token response or return default scopes set by MCP servers, ignoring the provided one.

In that last screenshot if you open the disclosure widget in the last step of the OAuth flow you should see the scope:
Screenshot 2025-10-24 at 5 24 27 PM

@stdevi
Copy link
Author

stdevi commented Oct 25, 2025

Even though the client was correctly registered with a specific scope, the token response may not necessarily include it, as per RFC 6749, which states that the scope parameter in the token response is optional.

image

cliffhall
cliffhall requested changes Oct 30, 2025
View reviewed changes
client/src/lib/constants.ts
PREREGISTERED_CLIENT_INFORMATION: "mcp_preregistered_client_information",
SERVER_METADATA: "mcp_server_metadata",
AUTH_DEBUGGER_STATE: "mcp_auth_debugger_state",
SCOPE: "mcp_scope",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where is this constant being used? I don't see it in any of the changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cliffhall cliffhall cliffhall requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

waiting on submitter Waiting for the submitter to provide more info

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stdevi @cliffhall