"Connect button" OAuth flow does not honor scopes_supported like Auth Settings does #748
Description
Describe the bug
When clicking the "Connect" button, I get directed to the following URL:
http://localhost:7788/authorize?response_type=code&client_id=Rij0zh4k25bDqoEK&code_challenge=BsNpWG9XLzR5yzX3oUh8gjgO2njve1ZBujPl_u7LxHk&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A8079%2Foauth%2Fcallback&resource=http%3A%2F%2Flocalhost%3A60079%2Fmcp
When clicking the "Quick Auth Flow" button, I get directed to the following URL:
http://localhost:7788/authorize?response_type=code&client_id=M7zNX0l9922ofiCL&code_challenge=yGWrmL0UFvSYLTgP-gba5aoenaMJmAfXie-3EGMGQh8&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A8079%2Foauth%2Fcallback%2Fdebug&scope=read+write&resource=http%3A%2F%2Flocalhost%3A60079%2Fmcp
Here's a more clear diff view of those URLs:
http://localhost:7788/authorize?
response_type=code
client_id=M7zNX0l9922ofiCL
code_challenge=yGWrmL0UFvSYLTgP-gba5aoenaMJmAfXie-3EGMGQh8
code_challenge_method=S256
redirect_uri=http%3A%2F%2Flocalhost%3A8079%2Foauth%2Fcallback%2Fdebug
+ scope=read+write
resource=http%3A%2F%2Flocalhost%3A60079%2Fmcp(note, the client_id, code_challenge, and redirect_uri are also different, but I don't see that as being an issue).
The particular bother for me is the lack of scope when clicking "Connect"
To Reproduce
Steps to reproduce the behavior:
- Have an MCP server that includes
scopeas part of theWWW-Authenticatedheader,scopes_supportedin the resource server metadata (e.g./.well-known/oauth-protected-resource/mcp), andscopes_supportedin the authorization server metadata (e.g./.well-known/oauth-authorization-server). - Click "Connect" and notice the lack of
scope - Click "Quick Auth Flow" (or go through it manually) and notice the presence of
scope.
Expected behavior
I expect them to be the same (and prefer them to use the scope specified).