Allow operators to inject baseline scopes into DCR registrations

[jhrozek]

Summary

Some MCP clients (notably Claude Code) DCR-register with a narrowed scope field at /oauth/register but later request a wider set at /oauth/authorize. fosite rejects those requests with invalid_scope because the registered client's scope set does not include the requested scopes. RFC 7591 §3.2.1 explicitly permits the AS to replace requested client metadata; the embedded auth server now uses that to expand the registered scope set.

• Add EmbeddedAuthServerConfig.baselineClientScopes to the CRD — operators declare scopes that must be in every registered client's scope set.
• Plumb the field through RunConfig → runtime Config → AuthorizationServerConfig so the DCR handler can read it at request time.
• DCR handler unions the baseline into each new registration; logs a WARN when expansion actually happens (no-op short-circuited via slices.Equal).
• Validate baseline ⊆ scopesSupported at three layers (CRD-loaded RunConfig, applyDefaults, validateParams) so misconfiguration fails loudly at startup.
• Integration regression test reproduces the Claude Code repro pattern ([BUG] Missing scope Parameter in Dynamic Client Registration and Authorization Requests anthropics/claude-code#4540) end-to-end.

Refs #5224

Type of change

• New feature

Test plan

• Unit tests (task test)
• E2E tests (task test-e2e) — covered by the new integration test in test/integration/authserver/
• Linting (task lint-fix)
• Manual testing (describe below)

Manual: end-to-end deploy still pending — opening as draft for that.

API Compatibility

• This PR does not break the v1beta1 API, OR the api-break-allowed label is applied and the migration guidance is described above.

baselineClientScopes is a new optional field with omitempty and a nil-safe deepcopy. Existing CRs without the field decode as nil; the validator early-returns and behavior is unchanged.

Does this introduce a user-facing change?

Yes — operators of `MCPExternalAuthConfig` and `VirtualMCPServer` resources gain a new optional `spec.embedded.baselineClientScopes` field. When set, every DCR-registered client's scope set is expanded to include these scopes regardless of what the client requested at `/oauth/register`.

Special notes for reviewers

• Defense-in-depth validation runs at three layers; the wire-format-boundary check (`RunConfig.Validate`) is the earliest, the `Config.applyDefaults` guard catches direct callers, and `validateParams` is a final safety net.
• The `unionScopes` helper preserves requested-scope order; the `slices.Equal` no-op detection in the handler depends on that invariant.
• `MaxItems=10` on the CRD field bounds operator misuse; we considered an item-level `Pattern` marker and decided runtime validation suffices for v1.

Large PR Justification

• the CRDs got regenerated

🤖 Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 94.52055% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.06%. Comparing base (030594a) to head (29a3621).

Files with missing lines	Patch %	Lines
pkg/authserver/runner/embeddedauthserver.go	60.00%	1 Missing and 1 partial ⚠️
pkg/authserver/server/provider.go	75.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5233      +/-   ##
==========================================
+ Coverage   68.02%   68.06%   +0.04%     
==========================================
  Files         616      617       +1     
  Lines       63005    63067      +62     
==========================================
+ Hits        42857    42926      +69     
+ Misses      16945    16938       -7     
  Partials     3203     3203              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[tgrunnagle]

Multi-agent review summary

Five specialist reviewers (OAuth/security, Kubernetes operator/CRD, Go correctness, test coverage, general code quality) plus a consensus-scoring pass. Codex cross-review was skipped because the codex CLI isn't installed locally.

Overall: COMMENT — no blockers, nice piece of work. The defense-in-depth design, the three-layer validation, and the explicit regression test for anthropics/claude-code#4540 are all strong. The notes below cluster into trust-boundary documentation, observability, defense-in-depth completeness, CRD validation hardening, and operator UX — each addressable without rework.

Consensus summary

#	Finding	Severity	Score
F1	Operator-configured baseline silently widens every DCR client's registered scope set — trust boundary only weakly documented	MEDIUM	8/10
F2	WARN log includes attacker-controlled client_name (log-injection risk)	LOW	7/10
F3	WARN log fires per registration when expansion is the documented happy path	LOW	7/10
F4	BaselineClientScopes slice flows by reference through all layers — copy-before-mutate rule	LOW	7/10
F5	No direct unit test for the third defense-in-depth gate (validateParams)	MEDIUM	8/10
F6	Negative integration subtest's 400 branch doesn't assert invalid_scope	MEDIUM	7/10
F7	No operator status condition for baseline misconfig — surfaces only as CrashLoopBackOff	MEDIUM	7/10
F8	CRD field has no items:MinLength=1 — empty/whitespace entries pass admission	LOW	8/10
F9	No user-facing docs / Helm examples for the new operator knob	MEDIUM	7/10
F10	ValidateScopeSubset doc enumerates 2 of 3 defense-in-depth gates	LOW	7/10
F11	RegisterClientHandler response comment can be misread as implying re-validation of unioned set	LOW	7/10
F12	Config.Validate() (sibling helper at line 472) doesn't run the subset check — three-layer claim slightly overstated	LOW	7/10

Detailed findings are inline. The dropped findings (consensus < 7, mostly stylistic / single-agent informational) are listed in the run log and not surfaced here to keep the review focused.

Holistic assessment

• Backwards compatibility: safe. Empty/nil BaselineClientScopes is bit-exact no-op via len(...) > 0 guard, and the field is +optional with omitempty.
• Plumbing symmetry: the CRD → controllerutil → RunConfig → Config → AuthorizationServerParams → AuthorizationServerConfig flow exactly mirrors ScopesSupported and AllowedAudiences. Easy to follow.
• CRD generation: all four chart copies (files/×2, templates/×2) and docs/operator/crd-api.md are consistent; deepcopy is regenerated.
• Integration regression test: excellent — explicit reference to anthropics/claude-code#4540 and end-to-end coverage of the bug-trigger pattern. The negative subtest catches the obvious privilege-escalation regression; tightening per F6 closes the last gap.
• Test coverage: thorough for unionScopes, ValidateScopeSubset, RunConfig.Validate, Config.applyDefaults, and the DCR handler path. One gate (validateParams) lacks a direct test — see F5.
• Open design question (non-blocking): this baseline mechanism applies globally to every DCR registration on the AS instance. CRD docs warn operators to keep it narrow but the implementation has no per-client filter (e.g. by software_id). F1 flags this as documentation, not code.

Review consulted: OAuth/DCR/Security, K8s operator/CRD, Go correctness, test coverage, and general code quality reviewers.

🤖 Generated with Claude Code

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

Large PR justification has been provided. Thank you!

[github-actions]

✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review.

[rdimitrov]

I think this needs a small fix before merging if we plan to release baselineClientScopes as supported behavior.

The new RunConfig.Validate() checks baseline_client_scopes against the raw ScopesSupported slice before defaults are applied. However, the operator paths still intentionally pass nil/empty scopes to mean “use the auth server defaults” (for example from deriveScopesSupported() / oidcConfig.Scopes). That makes a natural config like:

baselineClientScopes:
  - offline_access

fail startup with baseline_client_scopes contains "offline_access" which is not in scopes_supported when OIDC scopes are omitted, even though offline_access is included in registration.DefaultScopes.

Suggested fix: validate against the effective/defaulted scope set, or have the operator populate default ScopesSupported before building the RunConfig when baselineClientScopes is configured. Otherwise the first-use path for the new field is likely to fail unless users also explicitly configure all default scopes.

[jhrozek]

Good catch, fixed in b1d7ca33e. Both validate gates now treat an empty scopesSupported as the default scope set for the subset check (the same set applyDefaults would substitute), so the natural config you described just works. The redundant guard in applyDefaults is gone too. Updated the doc comments and tests to match.