From ff59015621ea60785441aadb9eba29c0baab721a Mon Sep 17 00:00:00 2001
From: John Howard <john.howard@solo.io>
Date: Tue, 8 Jul 2025 09:32:02 -0700
Subject: [PATCH] oauth: use requested scopes instead of all supported scope

This mirrors the logic in client_registration

Fixes https://github.com/modelcontextprotocol/inspector/issues/587
---
 client/src/lib/oauth-state-machine.ts | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/client/src/lib/oauth-state-machine.ts b/client/src/lib/oauth-state-machine.ts
index d87b3ecd6..9a3581ea6 100644
--- a/client/src/lib/oauth-state-machine.ts
+++ b/client/src/lib/oauth-state-machine.ts
@@ -109,8 +109,12 @@ export const oauthTransitions: Record<OAuthStep, StateTransition> = {
       const clientInformation = context.state.oauthClientInfo!;
 
       let scope: string | undefined = undefined;
-      if (metadata.scopes_supported) {
-        scope = metadata.scopes_supported.join(" ");
+      // Prefer scopes from resource metadata if available
+      const scopesSupported =
+        context.state.resourceMetadata?.scopes_supported ||
+        metadata.scopes_supported;
+      if (scopesSupported) {
+        scope = scopesSupported.join(" ");
       }
 
       const { authorizationUrl, codeVerifier } = await startAuthorization(