[BUG] OAuth authorization for HTTP MCP servers missing required scope parameter
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
When Claude Code initiates an OAuth 2.0 authorization flow for HTTP MCP servers, it fails to include the scope parameter in the authorization URL, even though the MCP server's _.well-known/oauth-protected-resource_ endpoint explicitly declares _scopes_supported_.
Response from well-known/oauth-protected-resource:
{
"resource": "https://mary-supersphenoid-michal.ngrok-free.dev/",
"authorization_servers": [
"https://pf.ngrok.dev/"
],
"scopes_supported": [
"agentREAD"
],
"bearer_methods_supported": [
"header"
]
}
Current Authorization URL (missing scope): https://pf.ngrok.dev/as/authorization.oauth2?response_type=code&client_id=dc-spxo8ed5qfqokkj0k8d2jxxdl&code_challenge=I0Dl8u2abviCIrkt9UUe9R9ZEni6L_4qaSaP_yieN0k&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A49962%2Fcallback&state=h_igddrux1NNvbYUb5ZIFipUUsQhsnIxNYTYzRNR98g&resource=https%3A%2F%2Fmary-supersphenoid-michal.ngrok-free.dev%2F
Note: No scope parameter is present.
What Should Happen?
According to OAuth 2.0 RFC 9470 (Resource Indicators) and the MCP specification, when a client discovers scopes from the resource's metadata endpoint, it should include the scope parameter in the authorization request.
Expected Authorization URL (with scope): https://pf.ngrok.dev/as/authorization.oauth2?response_type=code&client_id=dc-spxo8ed5qfqokkj0k8d2jxxdl&code_challenge=...&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A49962%2Fcallback&state=...&resource=https%3A%2F%2Fmary-supersphenoid-michal.ngrok-free.dev%2F&scope=agentREAD
The &scope=agentREAD parameter should be appended based on the scopes_supported from the well-known endpoint.
MCP Server Configuration
{
"agentPattern": {
"type": "http",
"url": "https://mary-supersphenoid-michal.ngrok-free.dev/mcp",
"env": {
"SCOPE": "agentREAD"
}
}
}
Error Messages/Logs
Steps to Reproduce
- Set up an HTTP MCP server with OAuth that returns the following from /.well-known/oauth-protected-resource:
{
"resource": "https://mary-supersphenoid-michal.ngrok-free.dev/",
"authorization_servers": ["https://pf.ngrok.dev/"],
"scopes_supported": ["agentREAD"],
"bearer_methods_supported": ["header"]
}
- Add the MCP server to Claude Code:
claude mcp add --transport http agentPattern https://mary-supersphenoid-michal.ngrok-free.dev/mcp
- Trigger OAuth authentication by either:
- Starting Claude Code and allowing it to connect to the MCP server, OR
- Running /mcp and manually triggering authentication
- Observe the OAuth authorization URL in your browser or authorization server logs
- Verify the bug: The URL will be missing the scope parameter entirely, even though scopes_supported was declared in the well-known endpoint
Claude Model
Not sure / Multiple models
Is this a regression?
No, this never worked
Last Working Version
_No response_
Claude Code Version
2.0.3
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
WSL (Windows Subsystem for Linux)
Additional Information
Additional Context
- The env.SCOPE field in the MCP configuration is not used for HTTP servers (it's only applicable for stdio
servers)
- This appears to be a gap in Claude Code's OAuth client implementation when interacting with HTTP MCP servers
- The issue prevents proper authorization when the authorization server requires explicit scope declaration
Environment
- Claude Code Version: 2.0.30 (based on .claude.json)
- Platform: Linux (WSL2)
- OS Version: Linux 6.6.87.2-microsoft-standard-WSL2
- MCP Server Type: HTTP with OAuth
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗