Tool Scopes Working Group Meeting
Working group for deciding on how tool auth scopes will be handled as part of the protocol.
This working group is for deciding on how Tool auth scopes will be handled as part of the protocol, building on the existing specification support for Oauth authentication flow and Oauth scope challenge which are implementable, but have no guidance for how to define, manage and challenge tool scopes in a way that server SDK developers can integrate, so current implementations are entirely reliant on the end developers.
Further to this, the direction of travel for tool responses is also that they open SSE streams immediately, so changing status codes and headers as a result of responses from tool implementations (required for sending www-authenticate scope challenge responses), may no longer be possible, so a solution that is handled earlier in the lifecycle of tool calls is imperative.
As a concrete example, GitHub MCP Server implements Oauth Scope Challenge in their remote server via a middleware that sits in front of the SDK, requiring double parsing of the JSON-RPC payload and custom implementation, and has challenges with some scopes not mapping 1:1 with tool calls unless the specific arguments are factored in.
These discussions are necessary to drive spec changes to ensure MCP Server developers and SDK developers are able to support scope challenges and determine required scopes effectively, as well as publishing them to end users.
Facilitator(s) @Nate Barbettini (Arcade.dev), @Simon Russell (Prefactor), @Kevin Gao (Descope), @John Baldo (Asana), @thiago (OpenAI), @SamMorrowDrums (GitHub)
Maintainer(s) @Ola
First Issue/PR/SEP that the WG will work on:
https://github.com/modelcontextprotocol/modelcontextprotocol/issues/1881
https://github.com/modelcontextprotocol/modelcontextprotocol/pull/1862