OAuth2: Protected-resource URL passed as scope instead of parsed scope
Initial Checks
- I confirm that I'm using the latest version of MCP Python SDK
- I confirm that I searched for my issue in https://github.com/modelcontextprotocol/python-sdk/issues before opening this issue
Description
I noticed that the scope parameter is being set to the OAuth protected-resource URL instead of the parsed scope (or None when no scope is provided).
After inspecting the code, it seems the URL is passed directly as the scope here:
| self.context.client_metadata.scope = get_client_metadata_scopes( | |
| www_auth_resource_metadata_url, | |
| self.context.protected_resource_metadata, | |
| self.context.oauth_metadata, | |
| ) |
This results in an incorrect scope value being propagated during OAuth2 authentication.