Skip to content

Fix OAuth scope selection to use resource server scopes #709

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix OAuth scope selection to use resource server scopes #709

wants to merge 2 commits into from
+5 −2

Conversation

anatoly314
Copy link

Summary

  • Fixed OAuth scope selection bug where Inspector was requesting all scopes from the authorization server instead of using resource server scopes
  • This caused failures with dynamic OAuth clients that don't have access to all authorization server scopes (e.g., public_metadata, private_metadata)

Changes

  • Modified the authorization_redirect step in oauth-state-machine.ts to prefer resource server scopes over authorization server scopes
  • This matches the existing behavior in the client_registration step

Test plan

  • Tested with OAuth server that has additional scopes not available to dynamic clients
  • Verified that Inspector now requests only the scopes supported by the resource server
  • OAuth flow completes successfully without scope-related errors

🤖 Generated with Claude Code

anatoly314 and others added 2 commits August 12, 2025 23:34
@anatoly314 @claude
Fix OAuth scope selection to use resource server scopes
6d95148 
Inspector was incorrectly requesting all scopes from the authorization server's metadata instead of using the resource server's supported scopes. This caused issues with dynamic OAuth clients that don't have access to all authorization server scopes (like public_metadata and private_metadata).

The fix ensures that during the authorization redirect step, we prefer the resource server's scopes_supported over the authorization server's scopes, matching the behavior already present in the client registration step.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@anatoly314
Merge branch 'main' into fix-oauth-scope-selection
6b1e4cd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@anatoly314