Skip to content

Support for requesting specific OAuth scopes #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Support for requesting specific OAuth scopes #24

wants to merge 5 commits into from
+5,652 −4

Conversation

toharm
Copy link

@toharm toharm commented Jul 7, 2025

Added support for requesting specific OAuth scopes in BrowserOAuthClientProvider.

Motivation and Context

Only specific scopes are necessary to request with most OAuth-protected MCP servers, thus always requesting all available permissions violates the principle of least privilege and makes it difficult to implement scope-specific authorization flows.

How Has This Been Tested?

Tested:

✓ should use default scope when no scopes provided
✓ should use default scope when empty scopes array provided
✓ should store and use custom scopes when provided
✓ should handle single scope correctly
✓ should preserve scope order
✓ should include scopes in client metadata
✓ should handle special characters in scopes
[mcp:auth] Redirecting to authorization URL in popup.
✓ should store scopes in state during authorization redirect
[test-prefix] Redirecting to authorization URL in popup.
✓ should preserve all provider options including scopes in state
✓ should work with old constructor calls (no scopes)
✓ should maintain existing functionality when scopes are added
✓ should handle undefined scopes gracefully
✓ should handle scopes with whitespace
✓ should clear scope-related state during clearStorage
✓ should reconstruct provider with correct scopes from stored state
✓ should handle many scopes
✓ should handle OAuth standard scopes

Results: 17 passed, 0 failed
All tests passed!

Breaking Changes

No. This new feature is backward-compatible and tested with original functionality. Existing code without the new scopes parameter continues to work unchanged, default behavior with the 'openid' scope, and all existing constructor options are preserved. If a user wants to implement this new feature, they will have to add their respective scopes (i.e. 'openid profile email')

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

Using use-mcp and need the ability to request specific scopes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@toharm @gaokevin1