fix(mcp): advertise scopes_supported in PRM so generic OAuth clients can log in#29
Closed
hookdump wants to merge 1 commit into
Closed
fix(mcp): advertise scopes_supported in PRM so generic OAuth clients can log in#29hookdump wants to merge 1 commit into
hookdump wants to merge 1 commit into
Conversation
Generic MCP OAuth clients (Claude.ai, ChatGPT, Claude Code) discover which scopes to request from the resource's RFC 9728 Protected Resource Metadata. The PRM omitted `scopes_supported`, so those clients began the authorization request with an empty scope set, which the authorization server rejects with "At least one scope is required" — blocking OAuth login entirely for every generic client. Only the SDK CLI was unaffected (it sends DEFAULT_SCOPES explicitly via `churnkey auth login`). Echo DEFAULT_SCOPES (the full supported set, matching the AS metadata's scopes_supported) from the PRM so clients know what to request. Add a regression test asserting the live PRM advertises scopes. This affects prod (mcp.churnkey.co) and dev (mcp-dev.churnkey.co) identically — both PRMs were missing the field. Claude-Session: https://claude.ai/code/session_01HJRLEbMuREpbVfyNeMoP6h
Contributor
Author
|
Superseded by #25 — the fix is folded into the reslice PR as commit |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
Generic MCP OAuth clients (Claude.ai, ChatGPT, Claude Code) discover which scopes to request from the resource's RFC 9728 Protected Resource Metadata (PRM). Our PRM omitted
scopes_supported, so those clients begin the authorization request with an empty scope set — and the authorization server rejects that with "At least one scope is required", blocking OAuth login entirely.Only the SDK CLI (
churnkey auth login) was unaffected, because it sendsDEFAULT_SCOPESexplicitly.Confirmed against live metadata
https://mcp.churnkey.co/.well-known/oauth-protected-resource→{ resource, authorization_servers, bearer_methods_supported, resource_documentation }— noscopes_supportedhttps://api.churnkey.co/.well-known/oauth-authorization-server→scopes_supported= 23 scopes (healthy)churnkey-apioauth.controller.jsvalidateAuthorizeParams(empty scope →BadRequest)This affects prod (
mcp.churnkey.co) and dev (mcp-dev.churnkey.co) identically — both PRMs were missing the field. Any generic client hitting either environment fails the same way.The fix
Echo
DEFAULT_SCOPES(the full supported set, matching the AS metadata'sscopes_supported) from the PRM so clients know what to request. One import + one field.Testing
179/179@churnkey/mcptests pass; typecheck clean.scopes_supported.Deploy
The PRM is served by the hosted HTTP server on Elastic Beanstalk, built from this repo (not npm). After merge:
ops/mcp/deploy-mcp.sh devops/mcp/deploy-mcp.sh prodNotes
Standalone hotfix — not part of the MCP reslice stack (the PRM code merged earlier via #24). Discovered while QA-ing the MCP feature end-to-end against dev: the OAuth login itself was broken for the Claude Code client.
https://claude.ai/code/session_01HJRLEbMuREpbVfyNeMoP6h