MCP OAuth login does not include scopes during dynamic client registration

[yqiang]

Summary

codex mcp login --scopes ... does not appear to include the requested scopes in the OAuth dynamic client registration request. This prevents login to Fastmail's remote MCP server, because Fastmail requires a scope value during registration.

Environment

• codex-cli 0.128.0
• macOS 26.4.1
• Remote MCP server: https://api.fastmail.com/mcp

Reproduction

codex mcp add fastmail --url https://api.fastmail.com/mcp
codex mcp login fastmail --scopes https://www.fastmail.com/dev/mcp,offline_access

The same failure occurs if the scopes are passed before the server name:

codex mcp login --scopes https://www.fastmail.com/dev/mcp,offline_access fastmail

The same failure also occurs when setting scopes via config override:

codex mcp login fastmail \
  -c 'mcp_servers.fastmail.scopes=["https://www.fastmail.com/dev/mcp","offline_access"]' \
  -c 'mcp_servers.fastmail.oauth_resource="https://api.fastmail.com/mcp"'

Actual Behavior

Error: Registration failed: Dynamic registration failed: Registration failed: HTTP 400 Bad Request: {"error_description":"invalid_request no scope","error":"invalid_request"}

Expected Behavior

The dynamic client registration request to https://api.fastmail.com/oauth/register should include the requested scopes, probably as a space-delimited scope string:

{
  "scope": "https://www.fastmail.com/dev/mcp offline_access"
}

Validation

Fastmail's MCP protected-resource metadata advertises these scopes:

{
  "resource": "https://api.fastmail.com/mcp",
  "authorization_servers": ["https://api.fastmail.com"],
  "scopes_supported": [
    "https://www.fastmail.com/dev/mcp",
    "offline_access"
  ]
}

Fastmail's OAuth authorization-server metadata also advertises both scopes and supports dynamic registration:

{
  "registration_endpoint": "https://api.fastmail.com/oauth/register",
  "authorization_endpoint": "https://api.fastmail.com/oauth/authorize",
  "token_endpoint": "https://api.fastmail.com/oauth/refresh",
  "scopes_supported": [
    "urn:ietf:params:oauth:scope:mail",
    "urn:ietf:params:oauth:scope:contacts",
    "urn:ietf:params:oauth:scope:calendars",
    "https://www.fastmail.com/dev/mcp",
    "offline_access"
  ],
  "token_endpoint_auth_methods_supported": ["none"],
  "code_challenge_methods_supported": ["S256"]
}

I manually tested Fastmail dynamic client registration with an explicit scope field, and Fastmail returned HTTP 201, so the scope values themselves are accepted. The issue seems to be that Codex's --scopes are not sent during the dynamic client registration step.

[misrtjakub]

I can take a look at this as a small MCP OAuth fix. From the current flow, Codex resolves/passes scopes into start_authorization, but the dynamic client registration step still appears to omit the registration scope field. I’ll try to keep the patch focused and add a test covering scope propagation into registration.

[misrtjakub]

Follow-up: I have a patch ready, but GitHub is currently showing that PR creation is limited to repository collaborators:

https://github.com/openai/codex/compare/main...misrtjakub:fix/codex-mcp-oauth-registration-scope?expand=1

Could a maintainer confirm the preferred way for external contributors to submit this?

[Qiaofanxing]

I encountered the same issue, looking forward to a fix.