fix: preserve client_metadata.scope if already set by owendevereaux · Pull Request #2324 · modelcontextprotocol/python-sdk

owendevereaux · 2026-03-21T08:43:05Z

Summary

Don't override client_metadata.scope if it was explicitly set by the client.

Problem

As reported in #2317, the scope selection strategy in async_auth_flow unconditionally overwrites any scope that was explicitly set by the client. This prevents clients from:

Requesting fewer permissions than available
Working with servers that reject requests for unauthorized scopes (e.g., SalesForce)

Solution

Made the scope assignment conditional:

# Step 3: Apply scope selection strategy (only if not already set)
if self.context.client_metadata.scope is None:
    self.context.client_metadata.scope = get_client_metadata_scopes(...)

This preserves the existing behavior when no scope is set, while respecting explicit scope configuration.

Testing

Existing tests continue to pass (scope is None by default)
Clients that explicitly set client_metadata.scope will now have that value preserved

Fixes #2317

Don't override the scope if it was explicitly set by the client. This allows clients to: - Request fewer permissions than available - Work with servers that reject requests for unauthorized scopes The scope selection strategy now only applies when scope is None. Fixes modelcontextprotocol#2317

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: preserve client_metadata.scope if already set#2324

fix: preserve client_metadata.scope if already set#2324
owendevereaux wants to merge 1 commit intomodelcontextprotocol:mainfrom
owendevereaux:fix/preserve-client-metadata-scope

owendevereaux commented Mar 21, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

owendevereaux commented Mar 21, 2026

Summary

Problem

Solution

Testing

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant