Dynamic Client Registration requests omit scope, leading to over-privileged client registrations

[Nitin2108]

When Claude performs OAuth 2.0 Dynamic Client Registration, it does not include the scope client metadata in the registration request body. Because our server then falls back to a permissive default, the client gets registered as allowed for all scopes, which is a security risk.

Current behavior (observed):
Registration request from Claude omits scope.
Our server registers the client with a broad default, effectively enabling all scopes.

Expected behavior:
Claude should include a scope value in the registration request, chosen using least-privilege:
Discover scopes_supported from the protected resource (/.well-known/oauth-protected-resource)
Request only the subset required for the intended operations (ideally progressive/just-in-time scoping).

[KKonstantinov]

Can confirm this. It existed few months ago when we did our DCR implementation.

As a workaround (which might not be suitable in your architecture) how we worked around is via a web hook called just in time by the AS. That web hook then checked against protected resource and stripped away excessive scopes, just before the AS signed the token.

[pcarleton]

closing this to address in #978

(fyi: this is the bug queue for the typescript-sdk, not a bug tracker for Claude)