use scopes_supported for OAuth when present on MCP servers#14419
Merged
jgershen-oai merged 3 commits intomainfrom Mar 12, 2026
Merged
use scopes_supported for OAuth when present on MCP servers#14419jgershen-oai merged 3 commits intomainfrom
jgershen-oai merged 3 commits intomainfrom
Conversation
Discover and use advertised MCP OAuth scopes_supported when no explicit or configured scopes are specified. This also brings behavior in line with https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#scope-selection-strategy.
Contributor
|
All contributors have signed the CLA ✍️ ✅ |
Collaborator
Author
|
I have read the CLA Document and I hereby sign the CLA |
gpeal
reviewed
Mar 12, 2026
codex-rs/cli/src/mcp_cmd.rs
Outdated
| } | ||
|
|
||
| #[allow(clippy::too_many_arguments)] | ||
| async fn perform_oauth_login_with_legacy_retry( |
Collaborator
There was a problem hiding this comment.
The name legacy retry is pretty unclear here. Should it be perform_oauth_login_retry_without_scopes or something? Why is it necessary to have that fallback? Docs would be helpful, I think
Collaborator
Author
There was a problem hiding this comment.
I wanted to keep the fallback to no-scope auth since that's how it works today, and I don't want this to be a breaking change for anyone. Good call on the name; added some docs
gpeal
approved these changes
Mar 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #8889.
Summary
scopes_supportedwhen no explicit or configured scopes are present.mcp add,mcp login, skill dependency auto-login, and app-server MCP OAuth login.Motivation
Some MCP servers advertise the scopes they expect clients to request during OAuth, but Codex was ignoring that metadata and typically starting OAuth with no scopes unless the user manually passed
--scopesor configuredserver.scopes.That made compliant MCP servers harder to use out of the box and is the behavior described in #8889.
This change also brings our behavior in line with the MCP authorization spec's scope selection guidance:
https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#scope-selection-strategy
Behavior
Scope selection now follows this order everywhere:
--scopesserver.scopesscopes_supportedCompatibility notes:
Implementation
scopes_supported.coreso all login entrypoints use the same precedence rules.