In full transparency, this ticket was created using an AI agent. I am not sure if there is anything useful here, but I was hoping that I could at least get pointed in the correct direction. My debug session is here: https://opncd.ai/share/LeFwxgyK
I am happy to move or update the issue log. The issue I am having is that a specific MCP server I am trying to connect to is not working. The server is https://docs.medusajs.com/learn/introduction/build-with-llms-ai/mcp-server but when trying to connect I get an error message: OAuth Failure: Missing required state parameter - potential CSRF attack.
The below was output by my agent (Gpt 5.5 xhigh).
Summary
OpenCode exposes an MCP OAuth config option:
"oauth": {
"scope": "openid email profile"
}But the configured scope does not appear to be included in the OAuth client metadata used by the MCP TypeScript SDK. As a result, the generated authorization URL can omit scope, which prevents users from working around MCP servers that require explicit scopes.
Environment
- OpenCode version observed in logs:
1.14.40
- Current source checked:
v1.14.41
- OS: macOS
- MCP server tested:
https://docs.medusajs.com/mcp
Reproduction
Configure a remote MCP server with an explicit OAuth scope:
{
"mcp": {
"medusa": {
"type": "remote",
"enabled": true,
"url": "https://docs.medusajs.com/mcp",
"oauth": {
"scope": "openid email profile"
}
}
}
}Run:
Inspect logs in:
~/.local/share/opencode/log/
Actual Behavior
The generated authorization URL does not include a scope parameter.
Example log shape:
https://cloud.medusajs.com/oauth/authorize
?response_type=code
&client_id=medusa-mcp
&code_challenge=<redacted>
&code_challenge_method=S256
&redirect_uri=http%3A%2F%2F127.0.0.1%3A19876%2Fmcp%2Foauth%2Fcallback
&state=<redacted>
&resource=https%3A%2F%2Fdocs.medusajs.com%2F
There is no:
scope=openid%20email%20profile
Expected Behavior
If mcp.<server>.oauth.scope is configured, OpenCode should pass it through so the authorization request includes that scope.
Likely Cause
packages/opencode/src/mcp/index.ts passes oauthConfig?.scope into McpOAuthProvider, but packages/opencode/src/mcp/oauth-provider.ts does not appear to expose that value through clientMetadata.
The MCP TypeScript SDK uses provider.clientMetadata.scope as a fallback when no scope is supplied by the WWW-Authenticate header or protected resource metadata.
Suggested Fix
In packages/opencode/src/mcp/oauth-provider.ts, include configured scope in clientMetadata:
get clientMetadata(): OAuthClientMetadata {
return {
redirect_uris: [this.redirectUrl],
client_name: "OpenCode",
client_uri: "https://opencode.ai",
grant_types: ["authorization_code", "refresh_token"],
response_types: ["code"],
token_endpoint_auth_method: this.config.clientSecret ? "client_secret_post" : "none",
...(this.config.scope ? { scope: this.config.scope } : {}),
}
}Why This Matters
Some MCP OAuth servers require explicit scopes but may not advertise MCP protected-resource scopes_supported. OpenCode already has a config option that appears intended to handle this case, but it currently cannot be used as a workaround if it is not included in client metadata.
In full transparency, this ticket was created using an AI agent. I am not sure if there is anything useful here, but I was hoping that I could at least get pointed in the correct direction. My debug session is here: https://opncd.ai/share/LeFwxgyK
I am happy to move or update the issue log. The issue I am having is that a specific MCP server I am trying to connect to is not working. The server is https://docs.medusajs.com/learn/introduction/build-with-llms-ai/mcp-server but when trying to connect I get an error message:
OAuth Failure: Missing required state parameter - potential CSRF attack.The below was output by my agent (Gpt 5.5 xhigh).
Summary
OpenCode exposes an MCP OAuth config option:
But the configured scope does not appear to be included in the OAuth client metadata used by the MCP TypeScript SDK. As a result, the generated authorization URL can omit
scope, which prevents users from working around MCP servers that require explicit scopes.Environment
1.14.40v1.14.41https://docs.medusajs.com/mcpReproduction
Configure a remote MCP server with an explicit OAuth scope:
{ "mcp": { "medusa": { "type": "remote", "enabled": true, "url": "https://docs.medusajs.com/mcp", "oauth": { "scope": "openid email profile" } } } }Run:
Inspect logs in:
Actual Behavior
The generated authorization URL does not include a
scopeparameter.Example log shape:
There is no:
Expected Behavior
If
mcp.<server>.oauth.scopeis configured, OpenCode should pass it through so the authorization request includes that scope.Likely Cause
packages/opencode/src/mcp/index.tspassesoauthConfig?.scopeintoMcpOAuthProvider, butpackages/opencode/src/mcp/oauth-provider.tsdoes not appear to expose that value throughclientMetadata.The MCP TypeScript SDK uses
provider.clientMetadata.scopeas a fallback when no scope is supplied by theWWW-Authenticateheader or protected resource metadata.Suggested Fix
In
packages/opencode/src/mcp/oauth-provider.ts, include configured scope inclientMetadata:Why This Matters
Some MCP OAuth servers require explicit scopes but may not advertise MCP protected-resource
scopes_supported. OpenCode already has a config option that appears intended to handle this case, but it currently cannot be used as a workaround if it is not included in client metadata.