Skill

oauth-scopes-handling

Handles OAuth scope discovery and negotiation in MCP clients using WWW-Authenticate headers and Protected Resource Metadata. Useful when building or reviewing MCP client authorization flows.

Oauth

security

authentication

npx claudepluginhub redhatproductsecurity/prodsec-skills --plugin prodsec-skills

Popularity

Stars

Forks

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/prodsec-skills:oauth-scopes-handling

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

MCP clients MUST discover and use OAuth scopes from the WWW-Authenticate header or Protected Resource Metadata when authenticating to MCP servers. Scopes define the permissions the client is requesting and MUST be handled as follows:

SKILL.md

48 lines · ~562 tokens

Similar Skills

mcp-client-protected-resource-metadata

Enforces OAuth 2.0 Protected Resource Metadata (RFC 9728) in MCP clients for authorization server discovery. Use when building or reviewing MCP client authentication flows.

prodsec-skills

api-auth

101

Implements auth scopes on tools/resources and configures auth modes (none/jwt/oauth) for `@cyanheads/mcp-ts-core`. Use when adding declarative or dynamic authorization to MCP handlers.

pubmed-mcp-server

mcp-oauth-setup

Implements MCP server authentication using OAuth dynamic client registration (RFC 7591/8414), PKCE, bearer tokens, and API keys for admin UIs. Supports per-agent credentials, metadata discovery, token exchange, and tool sync for providers like Linear, Sentry.

4 files

majestic-rails

Stats

LanguagePython

Stars34

Forks3

MaintenanceExcellent

Last CommitMay 26, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Stats

Actions

Help us improve

Share bugs, ideas, or general feedback.

OAuth Scopes Handling in MCP Clients

Security Requirement

Scope Discovery Priority

WWW-Authenticate header: If the MCP client receives a scope parameter in the WWW-Authenticate header of a 401 response, it MUST use those scopes.

Protected Resource Metadata: If no scope is provided in the 401 response, check scopes_supported in the Protected Resource Metadata (PRM) document.

Flow

1. MCP client attempts to access MCP server resource 2. MCP server returns 401 Unauthorized with: WWW-Authenticate: Bearer realm="mcp", scope="tools:read tools:execute" 3. MCP client extracts scope from WWW-Authenticate header → If scope present: use those scopes for authorization request → If scope absent: fetch PRM and use scopes_supported 4. MCP client requests authorization with the discovered scopes

Example: WWW-Authenticate with Scope

HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer realm="mcp-server", scope="tools:read tools:execute resources:read"

The client should request exactly these scopes (or a subset) from the authorization server.

Implementation Checklist

Parse scope parameter from WWW-Authenticate header on 401 responses

Fall back to scopes_supported from Protected Resource Metadata if no scope in 401

Request only the scopes needed for the intended operation (principle of least privilege)

Handle scope downgrading by checking granted scopes against requested scopes and disabling features that lack authorization (authorization server may grant fewer scopes)

Re-request scopes if the server indicates insufficient permissions on subsequent requests