Compute OAuth scopes dynamically based on enabled tools

Copilot · SamMorrowDrums · Copilot · commit 5e50dfd22ced · 2026-01-18T10:39:57.000Z
- Replace hardcoded default scopes with dynamic scope computation
- Collect RequiredScopes from tools that will be enabled based on user config
- Respect --toolsets, --tools, --read-only, and --features flags
- Still allow explicit override via --oauth-scopes flag
- Only request minimum scopes needed for selected tools
- Improves security by requesting least privilege scopes
- Addresses feedback in review comment 2702294613

Co-authored-by: SamMorrowDrums &lt;4811358+SamMorrowDrums@users.noreply.github.com&gt;
diff --git a/cmd/github-mcp-server/main.go b/cmd/github-mcp-server/main.go
@@ -1,15 +1,19 @@
 package main
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"os"
+	"sort"
 	"strings"
 	"time"
 
 	"github.com/github/github-mcp-server/internal/ghmcp"
 	"github.com/github/github-mcp-server/internal/oauth"
 	"github.com/github/github-mcp-server/pkg/github"
+	"github.com/github/github-mcp-server/pkg/inventory"
+	"github.com/github/github-mcp-server/pkg/translations"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
@@ -187,18 +191,70 @@ func wordSepNormalizeFunc(_ *pflag.FlagSet, name string) pflag.NormalizedName {
 	return pflag.NormalizedName(name)
 }
 
-// getOAuthScopes returns the OAuth scopes to request
-// Uses custom scopes if provided, otherwise defaults to common scopes
+// getOAuthScopes returns the OAuth scopes to request based on enabled tools
+// Uses custom scopes if explicitly provided, otherwise computes required scopes
+// from the tools that will be enabled based on user configuration
 func getOAuthScopes() []string {
+	// Allow explicit override via --oauth-scopes flag
 	var scopes []string
 	if viper.IsSet("oauth_scopes") {
 		if err := viper.UnmarshalKey("oauth_scopes", &scopes); err == nil && len(scopes) > 0 {
 			return scopes
 		}
 	}
 
-	// Default scopes for GitHub MCP Server
-	// Based on the protected resource metadata at https://api.githubcopilot.com/.well-known/oauth-protected-resource/mcp
+	// Compute required scopes based on enabled tools
+	// This ensures we only request scopes for tools the user will actually use
+	var enabledToolsets []string
+	if viper.IsSet("toolsets") {
+		if err := viper.UnmarshalKey("toolsets", &enabledToolsets); err != nil {
+			// If unmarshaling fails, fall back to defaults
+			enabledToolsets = nil
+		}
+	}
+
+	var enabledTools []string
+	if viper.IsSet("tools") {
+		if err := viper.UnmarshalKey("tools", &enabledTools); err != nil {
+			enabledTools = nil
+		}
+	}
+
+	var enabledFeatures []string
+	if viper.IsSet("features") {
+		if err := viper.UnmarshalKey("features", &enabledFeatures); err != nil {
+			enabledFeatures = nil
+		}
+	}
+
+	// Build inventory with the same configuration that will be used at runtime
+	// This allows us to determine which tools will actually be available
+	t, _ := translations.TranslationHelper()
+	inventoryBuilder := github.NewInventory(t).
+		WithReadOnly(viper.GetBool("read-only")).
+		WithToolsets(enabledToolsets).
+		WithTools(enabledTools).
+		WithFeatureChecker(createFeatureChecker(enabledFeatures))
+
+	inventory, err := inventoryBuilder.Build()
+	if err != nil {
+		// If inventory build fails, fall back to default scopes
+		return getDefaultOAuthScopes()
+	}
+
+	// Collect all required scopes from available tools
+	requiredScopes := collectRequiredScopes(inventory)
+	if len(requiredScopes) == 0 {
+		// If no tools require scopes, use defaults
+		return getDefaultOAuthScopes()
+	}
+
+	return requiredScopes
+}
+
+// getDefaultOAuthScopes returns the default scopes for GitHub MCP Server
+// Based on the protected resource metadata at https://api.githubcopilot.com/.well-known/oauth-protected-resource/mcp
+func getDefaultOAuthScopes() []string {
 	return []string{
 		"repo",
 		"user",
@@ -208,3 +264,39 @@ func getOAuthScopes() []string {
 		"project",
 	}
 }
+
+// collectRequiredScopes collects all unique required scopes from available tools
+// Returns a sorted, deduplicated list of OAuth scopes needed for the enabled tools
+func collectRequiredScopes(inv *inventory.Inventory) []string {
+	scopeSet := make(map[string]bool)
+
+	// Get available tools (respects filters like read-only, toolsets, etc.)
+	for _, tool := range inv.AvailableTools(context.Background()) {
+		for _, scope := range tool.RequiredScopes {
+			if scope != "" {
+				scopeSet[scope] = true
+			}
+		}
+	}
+
+	// Convert to sorted slice for deterministic output
+	scopes := make([]string, 0, len(scopeSet))
+	for scope := range scopeSet {
+		scopes = append(scopes, scope)
+	}
+	sort.Strings(scopes)
+
+	return scopes
+}
+
+// createFeatureChecker creates a feature flag checker from enabled features list
+func createFeatureChecker(enabledFeatures []string) inventory.FeatureFlagChecker {
+	// Build a set for O(1) lookup
+	featureSet := make(map[string]bool, len(enabledFeatures))
+	for _, f := range enabledFeatures {
+		featureSet[f] = true
+	}
+	return func(_ context.Context, flagName string) (bool, error) {
+		return featureSet[flagName], nil
+	}
+}
