Skip to content

fix: preserve client_metadata.scope if already set#2324

Closed
owendevereaux wants to merge 1 commit intomodelcontextprotocol:mainfrom
owendevereaux:fix/preserve-client-metadata-scope
Closed

fix: preserve client_metadata.scope if already set#2324
owendevereaux wants to merge 1 commit intomodelcontextprotocol:mainfrom
owendevereaux:fix/preserve-client-metadata-scope

Conversation

@owendevereaux
Copy link
Copy Markdown

@owendevereaux owendevereaux commented Mar 21, 2026

Summary

Don't override client_metadata.scope if it was explicitly set by the client.

Problem

As reported in #2317, the scope selection strategy in async_auth_flow unconditionally overwrites any scope that was explicitly set by the client. This prevents clients from:

  • Requesting fewer permissions than available
  • Working with servers that reject requests for unauthorized scopes (e.g., SalesForce)

Solution

Made the scope assignment conditional:

# Step 3: Apply scope selection strategy (only if not already set)
if self.context.client_metadata.scope is None:
    self.context.client_metadata.scope = get_client_metadata_scopes(...)

This preserves the existing behavior when no scope is set, while respecting explicit scope configuration.

Testing

  • Existing tests continue to pass (scope is None by default)
  • Clients that explicitly set client_metadata.scope will now have that value preserved

Fixes #2317

@owendevereaux
fix: preserve client_metadata.scope if already set
e8f42d6 
Don't override the scope if it was explicitly set by the client.
This allows clients to:
- Request fewer permissions than available
- Work with servers that reject requests for unauthorized scopes

The scope selection strategy now only applies when scope is None.

Fixes modelcontextprotocol#2317
@maxisbey
Copy link
Copy Markdown
Contributor

maxisbey commented Mar 24, 2026

Thanks for the PR! The linked issue (#2317) hasn't been triaged yet — per our CONTRIBUTING.md, please wait for maintainer feedback before starting work. Closing for now; feel free to reopen once the issue is labeled ready for work.

AI Disclaimer

@maxisbey maxisbey closed this Mar 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Don't override client_metadata.scopes if they are already set

2 participants

@owendevereaux @maxisbey