Skip to content

Fix validate_scope rejecting scopes when client scope is None#2461

Open
Christian-Sidak wants to merge 1 commit intomodelcontextprotocol:mainfrom
Christian-Sidak:fix/validate-scope-none-check
Open

Fix validate_scope rejecting scopes when client scope is None#2461
Christian-Sidak wants to merge 1 commit intomodelcontextprotocol:mainfrom
Christian-Sidak:fix/validate-scope-none-check

Conversation

@Christian-Sidak
Copy link
Copy Markdown

@Christian-Sidak Christian-Sidak commented Apr 17, 2026

Summary

  • OAuthClientMetadata.validate_scope() incorrectly treated scope=None (no registered scopes) as an empty allowed list, rejecting all requested scopes with InvalidScopeError
  • Added an early return when self.scope is None to treat it as "no restrictions", allowing any requested scope through
  • Added comprehensive tests for validate_scope covering the None case, valid subsets, exact matches, and invalid scope rejection

Fixes #2216

@Christian-Sidak
Fix validate_scope rejecting scopes when client scope is None
5cfe6aa 
When OAuthClientMetadata.scope is None (no scopes registered),
validate_scope() was converting it to an empty list, causing all
requested scopes to be rejected with InvalidScopeError. Now treats
None as "no restrictions" and allows any requested scope through.

Fixes modelcontextprotocol#2216
@Christian-Sidak Christian-Sidak mentioned this pull request Apr 17, 2026
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: validate_scope rejects client scopes when required scopes in None

1 participant

@Christian-Sidak