Skip to content

fix(mcp): advertise scopes_supported in PRM so generic OAuth clients can log in#29

Closed
hookdump wants to merge 1 commit into
mainfrom
fix/mcp-prm-scopes-supported
Closed

fix(mcp): advertise scopes_supported in PRM so generic OAuth clients can log in#29
hookdump wants to merge 1 commit into
mainfrom
fix/mcp-prm-scopes-supported

Conversation

@hookdump

@hookdump hookdump commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

What & why

Generic MCP OAuth clients (Claude.ai, ChatGPT, Claude Code) discover which scopes to request from the resource's RFC 9728 Protected Resource Metadata (PRM). Our PRM omitted scopes_supported, so those clients begin the authorization request with an empty scope set — and the authorization server rejects that with "At least one scope is required", blocking OAuth login entirely.

Only the SDK CLI (churnkey auth login) was unaffected, because it sends DEFAULT_SCOPES explicitly.

Confirmed against live metadata

  • PRM https://mcp.churnkey.co/.well-known/oauth-protected-resource{ resource, authorization_servers, bearer_methods_supported, resource_documentation }no scopes_supported
  • AS https://api.churnkey.co/.well-known/oauth-authorization-serverscopes_supported = 23 scopes (healthy)
  • Rejection thrown in churnkey-api oauth.controller.js validateAuthorizeParams (empty scope → BadRequest)

This affects prod (mcp.churnkey.co) and dev (mcp-dev.churnkey.co) identically — both PRMs were missing the field. Any generic client hitting either environment fails the same way.

The fix

Echo DEFAULT_SCOPES (the full supported set, matching the AS metadata's scopes_supported) from the PRM so clients know what to request. One import + one field.

Testing

  • 179/179 @churnkey/mcp tests pass; typecheck clean.
  • New regression test boots the real HTTP server and asserts the live PRM advertises scopes_supported.

Deploy

The PRM is served by the hosted HTTP server on Elastic Beanstalk, built from this repo (not npm). After merge:

  • dev: ops/mcp/deploy-mcp.sh dev
  • prod: ops/mcp/deploy-mcp.sh prod

Notes

Standalone hotfix — not part of the MCP reslice stack (the PRM code merged earlier via #24). Discovered while QA-ing the MCP feature end-to-end against dev: the OAuth login itself was broken for the Claude Code client.

https://claude.ai/code/session_01HJRLEbMuREpbVfyNeMoP6h

Generic MCP OAuth clients (Claude.ai, ChatGPT, Claude Code) discover which
scopes to request from the resource's RFC 9728 Protected Resource Metadata.
The PRM omitted `scopes_supported`, so those clients began the authorization
request with an empty scope set, which the authorization server rejects with
"At least one scope is required" — blocking OAuth login entirely for every
generic client. Only the SDK CLI was unaffected (it sends DEFAULT_SCOPES
explicitly via `churnkey auth login`).

Echo DEFAULT_SCOPES (the full supported set, matching the AS metadata's
scopes_supported) from the PRM so clients know what to request. Add a
regression test asserting the live PRM advertises scopes.

This affects prod (mcp.churnkey.co) and dev (mcp-dev.churnkey.co) identically
— both PRMs were missing the field.

Claude-Session: https://claude.ai/code/session_01HJRLEbMuREpbVfyNeMoP6h
@hookdump

hookdump commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #25 — the fix is folded into the reslice PR as commit a696bde (same change, cherry-picked onto reslice/mcp-2-tools). Keeping the MCP OAuth login fix together with the reslice per review preference. Server-side companion remains churnkey-api#928.

@hookdump hookdump closed this Jul 2, 2026
@hookdump hookdump deleted the fix/mcp-prm-scopes-supported branch July 2, 2026 16:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant