fix: accumulate OAuth scopes across 401/403 responses for progressive authorization#1601
Closed
giulio-leone wants to merge 3 commits intomodelcontextprotocol:v1.xfrom
Closed
Conversation
🦋 Changeset detectedLatest commit: 4972dd2 The changes in this PR will be included in the next version bump. Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
commit: |
added 3 commits
February 28, 2026 15:50
… authorization The 401 and 403 handlers in StreamableHTTPClientTransport overwrite `this._scope` with the scope from WWW-Authenticate, discarding previously granted scopes. This causes infinite re-authorization loops when an MCP server requires different scopes for different operations (progressive/step-up authorization). Per RFC 6750 §3.1, servers report only the scopes needed for the specific operation being accessed. The client must accumulate scopes across responses. This adds a mergeScopes() helper that unions space-delimited scope strings, and applies it at both the 401 and 403 handler sites. Fixes modelcontextprotocol#1582
Contributor
Author
|
All CI checks pass. Ready for review. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
StreamableHTTPClientTransport401/403 handlers overwritethis._scopewith the scope from theWWW-Authenticateheader, discarding previously granted scopes. This causes infinite re-authorization loops when an MCP server requires different scopes for different operations (progressive/step-up authorization).Root Cause
When a server requires
initscope forinitializeandmcp:tools:readfortools/list:initialize→ 403 →_scope = "init"→ re-auth → token getsinittools/list→ 403 →_scope = "mcp:tools:read"→ re-auth → token getsmcp:tools:readbut losesinitinit→ 403 → infinite loopFix
Added a
mergeScopes()helper that unions space-delimited OAuth scope strings:Applied at both the 401 and 403 handler sites. Per RFC 6750 §3.1, servers report only the scopes needed for the specific operation, so scope accumulation is the client's responsibility.
The existing
_lastUpscopingHeaderinfinite loop protection still works: if the same header appears twice, it throws. Different operations produce different headers, so progressive auth flows through correctly.Tests
Added 1 new test:
accumulates scopes across multiple 403 responses for progressive authorization— verifies that after two 403 responses with different scopes (read, thenwrite), the second auth call includes the accumulated scope"read write".Verification
2 consecutive clean test runs: 1548/1548 tests passed, 0 failures.
Fixes #1582