Bug
When using a remote MCP server with OAuth and a pre-registered clientId, setting scope in the config has no effect. The authorization request is sent with no scope parameter, causing IdPs like Okta to reject with invalid_scope: No scopes were requested.
Root cause
McpOAuthProvider.clientMetadata does not include scope. The MCP TypeScript SDK uses clientMetadata.scope as its last-resort fallback when neither the WWW-Authenticate header nor Protected Resource Metadata advertise scopes. Since it is absent, the authorization URL omits the scope entirely.
Expected
Setting scope: "openid offline_access" in the oauth config should result in that scope being sent in the authorization URL.
Secondary issue
The callback port is hardcoded to 19876 with no way to change it without specifying a full redirectUri. A callbackPort shorthand would let users register a specific port with their IdP without constructing the full URI.
Bug
When using a remote MCP server with OAuth and a pre-registered
clientId, settingscopein the config has no effect. The authorization request is sent with noscopeparameter, causing IdPs like Okta to reject withinvalid_scope: No scopes were requested.Root cause
McpOAuthProvider.clientMetadatadoes not includescope. The MCP TypeScript SDK usesclientMetadata.scopeas its last-resort fallback when neither the WWW-Authenticate header nor Protected Resource Metadata advertise scopes. Since it is absent, the authorization URL omits the scope entirely.Expected
Setting
scope: "openid offline_access"in the oauth config should result in that scope being sent in the authorization URL.Secondary issue
The callback port is hardcoded to
19876with no way to change it without specifying a fullredirectUri. AcallbackPortshorthand would let users register a specific port with their IdP without constructing the full URI.