Initial Checks
Description
I was using examples/servers/simple-auth and examples/clients/simple-auth-client to learn about the mcp and oauth integration. First issue I encountered was the server giving 404 to PRM : /.well-known/oauth-protected-resource , so I added one endpoint and then when I ran the client, the client gets 400 error from auth server.
OAuthRegistrationError: Registration failed: 400 {"error":"invalid_client_metadata","error_description":"Requested scopes are not valid: http://localhost:9001/.well-known/oauth-protected-resource/mcp"}
What I believe is OAuth client registration is incorrectly using a URL (specifically the PRM discovery URL) as a scope parameter instead of using the scopes_supported field from the Protected Resource Metadata (PRM) response.
The bug appears to be in the OAuth flow where the scope is being set incorrectly. The problematic scope value http://localhost:9001/.well-known/oauth-protected-resource/mcp matches the pattern constructed in:
# Priority 2: Path-based well-known URI (if server has a path component)
if parsed.path and parsed.path != "/":
path_based_url = urljoin(base_url, f"/.well-known/oauth-protected-resource{parsed.path}")
urls.append(path_based_url)As per my understanding, Expected Behavior:
According to the MCP specification and RFC 9728, the client should:
- Discover PRM at
/.well-known/oauth-protected-resource
- Extract
scopes_supported from the PRM response
- Use those scopes (e.g.,
"user") in the client registration request
Reproduction Steps
- Start the sample MCP resource server on
http://localhost:9001/mcp with PRM endpoint at /.well-known/oauth-protected-resource returning:
{
"resource": "http://localhost:9001",
"scopes_supported": ["user"],
"authorization_servers": ["http://localhost:9000"]
}
- Start an authorization server on
http://localhost:9000
- Create an MCP client connecting to
http://localhost:9001/mcp
- The client registration fails with the error above
Example Code
Python & MCP Python SDK
Initial Checks
Description
I was using examples/servers/simple-auth and examples/clients/simple-auth-client to learn about the mcp and oauth integration. First issue I encountered was the server giving 404 to PRM : /.well-known/oauth-protected-resource , so I added one endpoint and then when I ran the client, the client gets 400 error from auth server.
OAuthRegistrationError: Registration failed: 400 {"error":"invalid_client_metadata","error_description":"Requested scopes are not valid: http://localhost:9001/.well-known/oauth-protected-resource/mcp"}What I believe is OAuth client registration is incorrectly using a URL (specifically the PRM discovery URL) as a scope parameter instead of using the
scopes_supportedfield from the Protected Resource Metadata (PRM) response.The bug appears to be in the OAuth flow where the scope is being set incorrectly. The problematic scope value
http://localhost:9001/.well-known/oauth-protected-resource/mcpmatches the pattern constructed in:As per my understanding, Expected Behavior:
According to the MCP specification and RFC 9728, the client should:
/.well-known/oauth-protected-resourcescopes_supportedfrom the PRM response"user") in the client registration requestReproduction Steps
http://localhost:9001/mcpwith PRM endpoint at/.well-known/oauth-protected-resourcereturning:{ "resource": "http://localhost:9001", "scopes_supported": ["user"], "authorization_servers": ["http://localhost:9000"] }http://localhost:9000http://localhost:9001/mcpExample Code
Python & MCP Python SDK