Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

OAuth Client Registration Uses URL as Scope Instead of PRM scopes_supported #1636

New issue
Copy link
New issue
Copy link
Closed
Closed
OAuth Client Registration Uses URL as Scope Instead of PRM scopes_supported#1636
Copy link
@pdharmendra

Description

@pdharmendra
pdharmendra
opened on Nov 17, 2025
Issue body actions

Initial Checks

Description

I was using examples/servers/simple-auth and examples/clients/simple-auth-client to learn about the mcp and oauth integration. First issue I encountered was the server giving 404 to PRM : /.well-known/oauth-protected-resource , so I added one endpoint and then when I ran the client, the client gets 400 error from auth server.

OAuthRegistrationError: Registration failed: 400 {"error":"invalid_client_metadata","error_description":"Requested scopes are not valid: http://localhost:9001/.well-known/oauth-protected-resource/mcp"}

What I believe is OAuth client registration is incorrectly using a URL (specifically the PRM discovery URL) as a scope parameter instead of using the scopes_supported field from the Protected Resource Metadata (PRM) response.

The bug appears to be in the OAuth flow where the scope is being set incorrectly. The problematic scope value http://localhost:9001/.well-known/oauth-protected-resource/mcp matches the pattern constructed in:

# Priority 2: Path-based well-known URI (if server has a path component)
if parsed.path and parsed.path != "/":
    path_based_url = urljoin(base_url, f"/.well-known/oauth-protected-resource{parsed.path}")
    urls.append(path_based_url)

As per my understanding, Expected Behavior:
According to the MCP specification and RFC 9728, the client should:

  1. Discover PRM at /.well-known/oauth-protected-resource
  2. Extract scopes_supported from the PRM response
  3. Use those scopes (e.g., "user") in the client registration request

Reproduction Steps

  1. Start the sample MCP resource server on http://localhost:9001/mcp with PRM endpoint at /.well-known/oauth-protected-resource returning: 
    {
  "resource": "http://localhost:9001",
  "scopes_supported": ["user"],
  "authorization_servers": ["http://localhost:9000"]
}
  2. Start an authorization server on http://localhost:9000
  3. Create an MCP client connecting to http://localhost:9001/mcp
  4. The client registration fails with the error above

Example Code



Python & MCP Python SDK


1.21.1

Reactions are currently unavailable
Metadata
Metadata
Assignees
No one assigned
    Labels
    No labels
    No labels
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions
      
      
      




  
      

      

    
      
  
      

  
      

          



    




  

    

    

    





    
      
    
      
    
      
  


      
  
      
    
    Morty Proxy
    
    This is a proxified and sanitized view of the page, visit original site.