Skip to content

fix: allow client scopes when no scope restriction is set#2220

Closed
lavish0000 wants to merge 2 commits intomodelcontextprotocol:mainfrom
lavish0000:fix/validate-scope-none-2216
Closed

fix: allow client scopes when no scope restriction is set#2220
lavish0000 wants to merge 2 commits intomodelcontextprotocol:mainfrom
lavish0000:fix/validate-scope-none-2216

Conversation

@lavish0000
Copy link
Copy Markdown

@lavish0000 lavish0000 commented Mar 5, 2026

Summary

  • treat OAuthClientMetadata.scope=None as unrestricted instead of an empty allowlist
  • add direct unit coverage for unrestricted and restricted scope validation paths

Problem

OAuthClientMetadata.validate_scope() currently turns scope=None into []. That makes any requested scope look invalid, even though an unset client scope should mean the client was not registered with a scope restriction.

As a result, authorization requests can be rejected with invalid_scope when the client metadata omits scope entirely.

Fix

If the client metadata does not declare a scope restriction, return the requested scopes as-is. Keep the existing validation path when the client was registered with explicit scopes.

Validation

  • uv run pytest tests/shared/test_auth.py tests/server/mcpserver/auth/test_auth_integration.py -k "validate_scope or authorize_invalid_scope"
  • uv run ruff check src/mcp/shared/auth.py tests/shared/test_auth.py
  • uv run ruff format --check src/mcp/shared/auth.py tests/shared/test_auth.py
  • uv run pyright src/mcp/shared/auth.py tests/shared/test_auth.py

@lavish0000
Copy link
Copy Markdown
Author

lavish0000 commented Mar 5, 2026

Quick status note: the remaining red lane is checks / test (3.10, locked, ubuntu-latest), failing in tests/client/test_stdio.py::test_stdio_client_bad_path, which is outside this diff. The scope-handling change here is isolated to the OAuth metadata validator path, and the targeted local validation from the PR description still passes.

@maxisbey maxisbey added bug Something isn't working auth Issues and PRs related to Authentication / OAuth P2 Moderate issues affecting some users, edge cases, potentially valuable feature labels Mar 6, 2026
@maxisbey maxisbey mentioned this pull request Mar 17, 2026
Draft
8 tasks
@maxisbey
Copy link
Copy Markdown
Contributor

maxisbey commented Mar 24, 2026

Thanks for the PR! Per our CONTRIBUTING.md, PRs require a corresponding issue with the ready for work label so we can agree on scope before reviewing code. Closing for now — please open an issue first and re-submit once it's triaged.

AI Disclaimer

@maxisbey maxisbey closed this Mar 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auth Issues and PRs related to Authentication / OAuth bug Something isn't working P2 Moderate issues affecting some users, edge cases, potentially valuable feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lavish0000 @maxisbey