Description
Describe the bug
The MCP Server and the MCP Client both can support seamless authentication. When 401 is returned from the initialize method, the MCP Client should start the authentication process based on .well-known/oauth-authorization-server information provided by the MCP Server.
So, when you click the 'Connect' button, the process starts automatically for both MCP Inspector v0.13.0 and MCP Inspector v0.15.0 - so far, so good.
However, the auto-generated authorization URL doesn't contain the scope parameter.
Interestingly, the same Authorization URL works fine when you click through the OAuth Flow Progress.
To Reproduce
Steps to reproduce the behavior:
- Make sure you are not authorized ie, logged out from your MCP Server identity provider
- Run the MCP Inspector. You can run it either using
npm run devornpx @modelcontextprotocol/inspectorcommand - Set the "Transport type" to "Streamable HTTP"
- Set the URL to your MCP Server URL that supports OAuth2 and has .well-known/oauth-authorization-server available with all needed information (example below)
- Make sure the "Authentication" section is empty (both "Header name" and "Bearer token" must be empty)
- Click the "Connect" button
Expected behavior
You should be redirected, with the correct Authorization URL, which includes scope param, to your OAuth2 provider
Current behavior
The Authorization URL doesn't contain scope param, and the OAuth2 server responded with an error.
Logs
The Authorization URL generated after clicking the "Connect" button: http://127.0.0.1:8000/authorize?response_type=code&client_id=9ed91b21...&code_challenge=Q6K8awQ9BXphBgtQe86_VAjs-SrEwN22hEEcJlTL7TY&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A6274%2Foauth%2Fcallback&resource=http%3A%2F%2F127.0.0.1%3A8080%2Fmcp
The Authorization URL generated using OAuth Flow Progress: http://127.0.0.1:8000/authorize?response_type=code&client_id=1b6f4000-...&code_challenge=ndaPMzUez3XpKYnfpOvwF_9xmQC4q-STkqx82Ujsgl8&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A6274%2Foauth%2Fcallback%2Fdebug&scope=openid+profile+email+mcp.read+mcp.write&resource=http%3A%2F%2F127.0.0.1%3A8080%2Fmcp
.well-known/oauth-authorization-server information:
return {
"issuer": base_url,
"registration_endpoint": f"{base_url}/register",
"authorization_endpoint": f"{base_url}/authorize",
"token_endpoint": f"{base_url}/token",
"introspection_endpoint": f"{base_url}/introspect",
"revocation_endpoint": f"{base_url}/revoke",
"scopes_supported": ["openid", "profile", "email", "mcp.read", "mcp.write"],
"scope": ["openid", "mcp.read", "mcp.write"],
"default_scopes": ["openid", "mcp.read"],
"response_types_supported": ["code", "token"],
"grant_types_supported": ["authorization_code", "refresh_token", "client_credentials"],
"token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"],
"service_documentation": "https://127.0.0.1:8000/docs",
"userinfo_endpoint": f"{base_url}/userinfo",
"jwks_uri": f"{base_url}/.well-known/jwks.json",
"code_challenge_methods_supported": ["S256"]
}