remove check for "allowed" scopes

chipgpt · chipgpt · commit f3418023555b · 2025-10-06T20:57:07.000-05:00
diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
@@ -44,7 +44,7 @@ describe('OAuth Authorization', () => {
                 }
             } as unknown as Response;
 
-            expect(extractWWWAuthenticateParams(mockResponse)).toEqual({ scope: 'read' });
+            expect(extractWWWAuthenticateParams(mockResponse)).toEqual({ scope: scope });
         });
 
         it('returns empty object if not bearer', async () => {
@@ -73,15 +73,16 @@ describe('OAuth Authorization', () => {
 
         it('returns undefined resourceMetadataUrl on invalid url', async () => {
             const resourceUrl = 'invalid-url';
+            const scope = 'read';
             const mockResponse = {
                 headers: {
                     get: jest.fn(name =>
-                        name === 'WWW-Authenticate' ? `Bearer realm="mcp", resource_metadata="${resourceUrl}", scope="read"` : null
+                        name === 'WWW-Authenticate' ? `Bearer realm="mcp", resource_metadata="${resourceUrl}", scope="${scope}"` : null
                     )
                 }
             } as unknown as Response;
 
-            expect(extractWWWAuthenticateParams(mockResponse)).toEqual({ scope: 'read' });
+            expect(extractWWWAuthenticateParams(mockResponse)).toEqual({ scope: scope });
         });
     });
 
diff --git a/src/client/streamableHttp.ts b/src/client/streamableHttp.ts
@@ -158,8 +158,8 @@ export class StreamableHTTPClientTransport implements Transport {
         try {
             result = await auth(this._authProvider, {
                 serverUrl: this._url,
-                scope: this._scope,
                 resourceMetadataUrl: this._resourceMetadataUrl,
+                scope: this._scope,
                 fetchFn: this._fetch
             });
         } catch (error) {
diff --git a/src/server/auth/handlers/authorize.ts b/src/server/auth/handlers/authorize.ts
@@ -120,14 +120,6 @@ export function authorizationHandler({ provider, rateLimit: rateLimitConfig }: A
             let requestedScopes: string[] = [];
             if (scope !== undefined) {
                 requestedScopes = scope.split(' ');
-                const allowedScopes = new Set(client.scope?.split(' '));
-
-                // Check each requested scope against allowed scopes
-                for (const scope of requestedScopes) {
-                    if (!allowedScopes.has(scope)) {
-                        throw new InvalidScopeError(`Client was not registered with scope ${scope}`);
-                    }
-                }
             }
 
             // All validation passed, proceed with authorization
