OAuth 2.0 Flow scopes are ignored when building authorization URL #863
Description
Inspector Version
- v0.17.0
Describe the bug
Scope field is being ignored when building the OAuth authorization URL
To Reproduce
- Set Transport type to "Streamable HTTP"
- Set URL to an MCP server that requires OAuth2
- Set Client ID under the "OAuth 2.0 Flow" section
- Set one or more scopes under the "OAuth 2.0 Flow" section
- Do the "Guided OAuth Flow" ...
- When you reach the "Preparing Authorization" section, notice the "Authorization URL". It completely ignores anything you enter in the "Scope" field. Instead it uses the "scopes_supported" discovered from the protected resource metadata, or from from the /.well-known/oauth-authorization-server metadata.
Expected behavior
This behavior is not correct. If the user enters a set of scopes, those should take precence.
One could argue that you should never use the discovered scopes, as this is purely an informational hint given to the client. Just because a certain scope is supported, does not imply I want to request that scope. If you wanted, you could display the supported scopes, and allow the user to select the ones they want to request.
Screenshots
Environment (please complete the following information):
- OS: MacOS
- Browser Chrome - Version 141.0.7390.66 (Official Build) (arm64)