Skip to content

OAuth Client Registration Uses URL as Scope Instead of PRM scopes_supported #1636

New issue
New issue
Closed
Closed
OAuth Client Registration Uses URL as Scope Instead of PRM scopes_supported#1636
@pdharmendra

Description

@pdharmendra
pdharmendra
opened on Nov 17, 2025

Initial Checks

Description

I was using examples/servers/simple-auth and examples/clients/simple-auth-client to learn about the mcp and oauth integration. First issue I encountered was the server giving 404 to PRM : /.well-known/oauth-protected-resource , so I added one endpoint and then when I ran the client, the client gets 400 error from auth server.

OAuthRegistrationError: Registration failed: 400 {"error":"invalid_client_metadata","error_description":"Requested scopes are not valid: http://localhost:9001/.well-known/oauth-protected-resource/mcp"}

What I believe is OAuth client registration is incorrectly using a URL (specifically the PRM discovery URL) as a scope parameter instead of using the scopes_supported field from the Protected Resource Metadata (PRM) response.

The bug appears to be in the OAuth flow where the scope is being set incorrectly. The problematic scope value http://localhost:9001/.well-known/oauth-protected-resource/mcp matches the pattern constructed in:

# Priority 2: Path-based well-known URI (if server has a path component)
if parsed.path and parsed.path != "/":
    path_based_url = urljoin(base_url, f"/.well-known/oauth-protected-resource{parsed.path}")
    urls.append(path_based_url)

As per my understanding, Expected Behavior:
According to the MCP specification and RFC 9728, the client should:

  1. Discover PRM at /.well-known/oauth-protected-resource
  2. Extract scopes_supported from the PRM response
  3. Use those scopes (e.g., "user") in the client registration request

Reproduction Steps

  1. Start the sample MCP resource server on http://localhost:9001/mcp with PRM endpoint at /.well-known/oauth-protected-resource returning: 
    {
  "resource": "http://localhost:9001",
  "scopes_supported": ["user"],
  "authorization_servers": ["http://localhost:9000"]
}
  2. Start an authorization server on http://localhost:9000
  3. Create an MCP client connecting to http://localhost:9001/mcp
  4. The client registration fails with the error above

Example Code



Python & MCP Python SDK


1.21.1

Metadata
Metadata
Assignees
No one assigned
    Labels
    No labels
    No labels
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions