feat: implement SEP-985 OAuth 2.0 Protected Resource Metadata fallback #1045

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

cbcoutinho wants to merge 5 commits into modelcontextprotocol:main from cbcoutinho:main

+761 −34

fix: respect scope from WWW-Authenticate header and Protected Resourc…

…e Metadata

Implements proper scope selection priority per MCP OAuth spec:
1. Explicit scope parameter (user override)
2. WWW-Authenticate challenge scope (authoritative per spec)
3. Protected Resource Metadata scopes_supported
4. Client default scope

Changes:
- Add extractChallengeScope() to parse scope from WWW-Authenticate header
- Add selectScopes() helper with priority logic
- Update auth(), authInternal() to accept and use challengeScope
- Update SSE, StreamableHTTP, and middleware transports to extract and pass challenge scope
- Add comprehensive tests for extractChallengeScope() and scope selection priority

All 869 tests passing.

Loading branch information

cbcoutinho committed Oct 25, 2025

commit c0fbfd0310779ecdb3af6b8c8b7f738aa7c2c4bd

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: implement SEP-985 OAuth 2.0 Protected Resource Metadata fallback #1045

Diff view

Diff view

Uh oh!

There are no files selected for viewing

Uh oh!

Uh oh!

feat: implement SEP-985 OAuth 2.0 Protected Resource Metadata fallback #1045

Are you sure you want to change the base?

feat: implement SEP-985 OAuth 2.0 Protected Resource Metadata fallback #1045

Uh oh!

Uh oh!

Diff view

Diff view

Uh oh!

There are no files selected for viewing

Uh oh!

Uh oh!