Skip to content

fix: validate_scope treats None registered scopes as no restrictions#2224

Closed
shivama205 wants to merge 2 commits into
modelcontextprotocol:mainfrom
shivama205:fix/validate-scope-none-scopes
Closed

fix: validate_scope treats None registered scopes as no restrictions#2224
shivama205 wants to merge 2 commits into
modelcontextprotocol:mainfrom
shivama205:fix/validate-scope-none-scopes

Conversation

@shivama205
Copy link
Copy Markdown
Contributor

@shivama205 shivama205 commented Mar 6, 2026

Summary

  • OAuthClientMetadata.validate_scope() incorrectly treated self.scope = None (no scopes registered) as an empty allowed list, rejecting all requested scopes with InvalidScopeError
  • Now None is correctly treated as "no restrictions", allowing any requested scope through

Closes #2216

Changes

  • Modified: src/mcp/shared/auth.py — early return when self.scope is None instead of converting to empty list
  • Modified: tests/shared/test_auth.py — added 6 unit tests for validate_scope covering None/matching/rejection/empty cases

Test plan

  • All 9 shared auth tests pass (3 existing + 6 new)
  • All 42 auth integration tests pass (including test_authorize_invalid_scope)
  • ruff check passes
  • ruff format passes
  • pyright passes with 0 errors

fix: validate_scope treats None registered scopes as no restrictions
d6bd5eb 
When a client was registered without specific scopes (scope=None),
validate_scope() converted None to an empty list, causing all
requested scopes to be rejected with InvalidScopeError. Now None
is correctly treated as "no restrictions", allowing any scope.

Closes modelcontextprotocol#2216
@shivama205 shivama205 force-pushed the fix/validate-scope-none-scopes branch from 49f7dec to d6bd5eb Compare March 6, 2026 04:00
@shivama205
Copy link
Copy Markdown
Contributor Author

shivama205 commented Mar 6, 2026
edited
Loading

CI is green — the only failure is test (3.14, locked, windows-latest) which is a flaky Windows/Python 3.14 issue (test_basic_child_process_cleanup and test_request_cancellation), unrelated to this change.

@Kludex @maxisbey please help to review when you get a chance.

@maxisbey maxisbey added bug Something isn't working auth Issues and PRs related to Authentication / OAuth P2 Moderate issues affecting some users, edge cases, potentially valuable feature labels Mar 6, 2026
@shivama205 shivama205 mentioned this pull request Mar 8, 2026
Open
2 tasks
Jah-yee pushed a commit to Jah-yee/python-sdk that referenced this pull request Mar 13, 2026
fix: validate_scope treats None registered scopes as no restrictions
45b6f28 
When self.scope is None (no scopes registered), the validate_scope method
incorrectly treated it as an empty allowed list, rejecting all requested
scopes with InvalidScopeError. Now None is correctly treated as 'no
restrictions', allowing any requested scope through.

Fixes modelcontextprotocol#2216
Closes modelcontextprotocol#2224
@maxisbey maxisbey mentioned this pull request Mar 17, 2026
Draft
8 tasks
@maxisbey maxisbey mentioned this pull request Mar 24, 2026
Closed
@Christian-Sidak Christian-Sidak mentioned this pull request Apr 12, 2026
Closed
@maxisbey
Copy link
Copy Markdown
Contributor

maxisbey commented May 18, 2026

Closing — superseded by #2301, which removes the registration-scope check entirely (it breaks the spec's step-up authorization flow). Thanks for the analysis on the issue, which fed into that direction.

AI Disclaimer

@maxisbey maxisbey closed this May 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auth Issues and PRs related to Authentication / OAuth bug Something isn't working P2 Moderate issues affecting some users, edge cases, potentially valuable feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: validate_scope rejects client scopes when required scopes in None

2 participants

@shivama205 @maxisbey