From e8f42d65ca6e4fc9acef02717105469138124934 Mon Sep 17 00:00:00 2001 From: Owen Devereaux Date: Sat, 21 Mar 2026 04:42:45 -0400 Subject: [PATCH] fix: preserve client_metadata.scope if already set Don't override the scope if it was explicitly set by the client. This allows clients to: - Request fewer permissions than available - Work with servers that reject requests for unauthorized scopes The scope selection strategy now only applies when scope is None. Fixes #2317 --- src/mcp/client/auth/oauth2.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/mcp/client/auth/oauth2.py b/src/mcp/client/auth/oauth2.py index 25075dec3..eb169963d 100644 --- a/src/mcp/client/auth/oauth2.py +++ b/src/mcp/client/auth/oauth2.py @@ -571,12 +571,13 @@ async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx. else: logger.debug(f"OAuth metadata discovery failed: {url}") - # Step 3: Apply scope selection strategy - self.context.client_metadata.scope = get_client_metadata_scopes( - extract_scope_from_www_auth(response), - self.context.protected_resource_metadata, - self.context.oauth_metadata, - ) + # Step 3: Apply scope selection strategy (only if not already set) + if self.context.client_metadata.scope is None: + self.context.client_metadata.scope = get_client_metadata_scopes( + extract_scope_from_www_auth(response), + self.context.protected_resource_metadata, + self.context.oauth_metadata, + ) # Step 4: Register client or use URL-based client ID (CIMD) if not self.context.client_info: