v2.0.1: OAuth scope discovery fixes
Highlights
This patch fixes OAuth scope discovery. Discovery documents now advertise scopes_supported, so MCP clients no longer fall back to Doorkeeper's default scopes and hit 403s on tools that need other permissions, such as list_redmine_issues, get_redmine_issue, and list_time_entries. Read-only mode hides write scopes from the advertised list.
It also corrects the advertised document permissions to Redmine's real add_documents / edit_documents / delete_documents triad. The previously inferred manage_documents scope does not exist in Redmine 6, so Doorkeeper rejected the consent request with invalid_scope and broke the whole OAuth flow for any client requesting the full scope set. Discovery documents are now also served at path-aliased locations, so clients that skip the canonical root paths can still bootstrap.
A urllib3 bump to 2.7.0 patches CVE-2026-44431 and CVE-2026-44432, with an explicit >=2.7.0,<3 floor.
Changes
Fixed
- OAuth discovery now advertises
scopes_supportedon both/.well-known/oauth-protected-resourceand/.well-known/oauth-authorization-server, fixing 403s on tools that need non-default scopes; read-only mode hides write scopes. (#130) - Corrected the advertised document scopes to
add_documents/edit_documents/delete_documents; the previously inferred, nonexistentmanage_documentsmade Doorkeeper reject consent withinvalid_scopeon Redmine 6. (#130) - OAuth discovery documents are now also served at path-aliased locations (
/mcp/.well-known/...and/.well-known/.../mcp) so clients that do not query the canonical root paths can bootstrap the flow.
Security
- Bump
urllib3from 2.6.3 to 2.7.0 (CVE-2026-44431, CVE-2026-44432) and add an expliciturllib3>=2.7.0,<3floor.
Acknowledgements
Thanks to @timcomport for contributing:
- reported #130 with detailed diagnosis, reproduction steps, and analysis of prior PR #85's limitations.
Thanks to @aadnehovda for contributing:
- contributed the path-aliased discovery endpoints concept via
codex-dcr-compatfork, and identified the invalidmanage_documentsscope via live-test against Redmine 6 / Doorkeeper.
Installation
pip install redmine-mcp-server==2.0.1