Skip to content

OAuth: scope parameter missing from token exchange requests #941

New issue
New issue
Open
Open
OAuth: scope parameter missing from token exchange requests#941
Labels
P2Moderate issues affecting some users, edge cases, potentially valuable featurebugSomething isn't workingquick win
Milestone
auth-scopes
@jeremyshi-ant

Description

@jeremyshi-ant
jeremyshi-ant
opened on Sep 13, 2025

Issue Description

The MCP SDK's OAuth implementation does not include the scope parameter when making token exchange requests (authorization code for access token). This causes OAuth flows to fail with certain providers, particularly Microsoft Azure AD and other providers that require the scope parameter to be present in token requests.

Root Cause

When the SDK constructs the token request in the OAuth flow, it only includes the following parameters:

  • grant_type
  • code
  • redirect_uri
  • code_verifier
  • client_id (added via client authentication)

The scope parameter is missing, even though it was included in the initial authorization request.

Impact

This breaks OAuth integration with providers that require scope consistency between authorization and token requests, including:

  • Microsoft Azure AD / Entra ID
  • Potentially other enterprise OAuth providers

Expected Behavior

The SDK should include the same scope parameter in the token exchange request that was used in the authorization URL. This is recommended by OAuth 2.0 best practices and required by some providers.

Workaround

Currently, we're working around this by:

  1. Capturing the scope from the authorization URL
  2. Implementing a custom addClientAuthentication callback that manually adds the scope parameter
  3. Storing OAuth metadata that contains scope information

Suggested Fix

The SDK should:

  1. Store the scope used in the authorization request
  2. Automatically include it in the token exchange request
  3. Follow the OAuth 2.0 specification more strictly

Code Reference

The issue appears to be in how the SDK constructs token requests. The scope should be extracted from either:

  • The authorization URL parameters
  • The OAuth server metadata (scope or default_scope fields)
  • The client metadata

And then included in the token exchange POST body.

Related Standards

  • RFC 6749 Section 4.1.3 - Token exchange should include scope if different from default
  • Many providers (like Azure AD) require scope for proper token validation and consent verification

Environment

  • SDK Version: Latest (as of 2025-09-13)
  • Affected flow: Authorization Code Flow
  • Provider: Microsoft Azure AD (and potentially others)

Metadata

Metadata

Assignees

No one assigned

    Labels

    P2Moderate issues affecting some users, edge cases, potentially valuable featurebugSomething isn't workingquick win

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions