21705504413

Committed 05 Feb 2026 09:09AM UTC coverage: 60.789% (-0.07%) from 60.854%

Build # 21705504413

Build Type

push

github

Committed by

web-flow

Commit Message

Align authserver DCR client scopes with discovery scopes_supported (#3610)

DCR was assigning hardcoded DefaultScopes ["openid", "profile", "email"]
to registered clients, while the discovery document advertised whatever
was configured in oidcConfig.inline.scopes. When those differed, clients
would read scopes_supported from discovery, request those scopes, and
get rejected by fosite because the client wasn't allowed them.

For example, with this MCPServer config:

```
    oidcConfig:
      inline:
        scopes: [user:email, read:user, repo]
```

the discovery document would advertise scopes_supported: ["user:email",
"read:user", "repo"], but a DCR client would only be allowed ["openid",
"profile", "email"]. Requesting "user:email" would fail with
invalid_scope.

The fix: DCR now reads h.config.ScopesSupported so clients are allowed
to request exactly the scopes the server advertises. The config default
for ScopesSupported references registration.DefaultScopes directly,
giving a single source of truth instead of two arrays to keep in sync.

Run Details

5 of 5 new or added lines in 2 files covered. (100.0%)

44 existing lines in 6 files now uncovered.

40822 of 67154 relevant lines covered (60.79%)

79.44 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

79.58

/pkg/transport/proxy/httpsse/http_proxy.go

stacklok / toolhive / 21705504413

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous