fix(auth): respect explicitly-set client_metadata.scope during discovery#2373
Open
chasewhughes wants to merge 1 commit intomodelcontextprotocol:mainfrom
Open
fix(auth): respect explicitly-set client_metadata.scope during discovery#2373chasewhughes wants to merge 1 commit intomodelcontextprotocol:mainfrom
chasewhughes wants to merge 1 commit intomodelcontextprotocol:mainfrom
Conversation
The scope selection strategy in async_auth_flow unconditionally overwrites client_metadata.scope with server-advertised scopes. This is problematic when the caller has explicitly set scopes to limit permissions or to avoid rejection by servers that only permit certain scopes (e.g. SalesForce MCP server). Only apply automatic scope selection when client_metadata.scope is None, preserving any explicitly-set value. Github-Issue: modelcontextprotocol#2317 Reported-by: jbweston
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
async_auth_flowunconditionally overwritesclient_metadata.scopewith server-advertised scopes during OAuth discovery (Step 3). This prevents clients from limiting their requested permissions, which is required by some servers — for example, the official SalesForce MCP server rejects requests that include scopes not authorized for the given client application.Solution
Only apply automatic scope selection when
client_metadata.scope is None. If the caller has explicitly set scopes, they are preserved through the discovery flow.The 403 step-up flow (
insufficient_scope) is intentionally left unchanged — when a server explicitly demands different scopes, those should override regardless.Tests
Two new tests:
test_auth_flow_preserves_explicit_scopes— verifies that explicitly-set scopes survive the discovery flowtest_auth_flow_auto_selects_scopes_when_none— verifies that auto-selection still works when no explicit scope is setAll 86 tests in
test_auth.pypass.Fixes #2317