René's URL Explorer Experiment


Title: SEP-2350: accumulate scopes on step-up auth by dogacancolak · Pull Request #2676 · modelcontextprotocol/python-sdk · GitHub

Open Graph Title: SEP-2350: accumulate scopes on step-up auth by dogacancolak · Pull Request #2676 · modelcontextprotocol/python-sdk

X Title: SEP-2350: accumulate scopes on step-up auth by dogacancolak · Pull Request #2676 · modelcontextprotocol/python-sdk

Description: Implements MCP spec PR #2350 (closes #2349): on a 403 insufficient_scope step-up challenge, the client now unions the challenge scopes with its previously-requested scope set instead of replacing them. Stateless servers can now emit per-operation WWW-Authenticate challenges (the spec-recommended posture) without forcing the client to drop prior grants on every step-up. Motivation and Context The previous spec told servers to include "previously granted scopes" in insufficient_scope challenges, conflicting with RFC 6750 §3.1. The amended spec moves accumulation to the client. The SDK was replacing client_metadata.scope with the challenge scopes, so a client doing read → write → admin operations would lose prior scopes on each step-up and trigger re-auth loops. What changed 403 step-up branch in src/mcp/client/auth/oauth2.py now calls union_scopes(client_metadata.scope, challenge_scopes) instead of overwriting. The 401 branch is unchanged (replace semantics) — full re-login remains the natural down-scoping opportunity. Union source is client_metadata.scope (what we requested last time), not current_tokens.scope (what the AS granted). If the AS narrowed the grant at consent time, we still re-request the broader set on the next step-up rather than silently dropping scopes the user previously declined. Behavior read requested → 403 scope="write" → re-auth with read write. read write requested, granted read only → 403 scope="delete" → re-auth with read write delete (write survives the narrow grant). 401 (expired token) → scope is replaced by initial set, accumulated set is dropped. This is the down-scoping path. Happy path with a valid token → scope untouched. Tests Unit tests for union_scopes. End-to-end tests driving async_auth_flow cover the entire step-up branch, not just the union behavior: Step-up retry uses the new access token. After step-up succeeds, the retried request carries the stepped-up token, not the rejected one. Multi-step accumulation. read → step-up adds write → step-up adds admin ends with read write admin, not just admin. Union source is requested, not granted. If the user requested read write admin but the AS only granted read write at consent, a later step-up for delete re-authorizes with read write admin delete — the declined admin is re-requested rather than silently dropped. No scope in challenge falls back to PRM. A step-up challenge with no scope attribute uses the priority ladder (PRM, then AS metadata). Non-step-up 403 is a no-op. A 403 without insufficient-scope does not trigger re-auth. 401 is the down-scoping opportunity. A fresh 401 replaces an accumulated read write admin with the initial auth handshake's narrower read. Pins the invariant so a future "let's union on 401 too" change fails loudly. Happy path does not mutate scope. A successful request with a valid token leaves the requested scope set untouched. Step-up errors are logged and re-raised. Failures during step-up are surfaced rather than silently swallowed. Limitations / follow-ups Refresh-token path does not re-evaluate scope. As long as the refresh token is valid, the over-permissive accumulated set stays — the 401 down-scoping path is never hit. This is a limitation of the refresh_token flow itself.

Open Graph Description: Implements MCP spec PR #2350 (closes #2349): on a 403 insufficient_scope step-up challenge, the client now unions the challenge scopes with its previously-requested scope set instead of replacing t...

X Description: Implements MCP spec PR #2350 (closes #2349): on a 403 insufficient_scope step-up challenge, the client now unions the challenge scopes with its previously-requested scope set instead of replacing t...

Opengraph URL: https://github.com/modelcontextprotocol/python-sdk/pull/2676

X: @github

direct link

Domain: github.com

route-pattern/:user_id/:repository/pull/:id/files(.:format)
route-controllerpull_requests
route-actionfiles
fetch-noncev2:055d86a6-7941-afaf-66b7-ebd99d0f8942
current-catalog-service-hashae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b
request-id945A:3D725F:1D4441C:2A18D6C:6A58D4AA
html-safe-noncecc0c094f14d3abfb7e4157e5fa178895417f4e6d12c52b9ff1785105fefc3e71
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI5NDVBOjNENzI1RjoxRDQ0NDFDOjJBMThENkM6NkE1OEQ0QUEiLCJ2aXNpdG9yX2lkIjoiODE2NzAxNTg3NzE4MDk3MDE1NCIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9
visitor-hmac810c1be9fcc8ecd070b884d48edc2a4f6937d25f4f56caf03588a1d81bd86435
hovercard-subject-tagpull_request:3738959452
github-keyboard-shortcutsrepository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///pull_requests/show/files
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/modelcontextprotocol/python-sdk/pull/2676/files
twitter:imagehttps://avatars.githubusercontent.com/u/54953926?s=400&v=4
twitter:cardsummary_large_image
og:imagehttps://avatars.githubusercontent.com/u/54953926?s=400&v=4
og:image:altImplements MCP spec PR #2350 (closes #2349): on a 403 insufficient_scope step-up challenge, the client now unions the challenge scopes with its previously-requested scope set instead of replacing t...
og:site_nameGitHub
og:typeobject
hostnamegithub.com
expected-hostnamegithub.com
None5f2a0c7865178af3d91dd9f13b0cdfc3c73a2529c873d2780bb4c01271a57ec6
turbo-cache-controlno-preview
diff-viewunified
go-importgithub.com/modelcontextprotocol/python-sdk git https://github.com/modelcontextprotocol/python-sdk.git
octolytics-dimension-user_id182288589
octolytics-dimension-user_loginmodelcontextprotocol
octolytics-dimension-repository_id862584018
octolytics-dimension-repository_nwomodelcontextprotocol/python-sdk
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id862584018
octolytics-dimension-repository_network_root_nwomodelcontextprotocol/python-sdk
turbo-body-classeslogged-out env-production page-responsive full-width
disable-turbotrue
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
release8aae7b8d6caacacf5c66eaeb2702d8dc88d85b4a
ui-targetfull
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/modelcontextprotocol/python-sdk/pull/2676/files#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fmodelcontextprotocol%2Fpython-sdk%2Fpull%2F2676%2Ffiles
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub Copilot appDirect agents from issue to mergehttps://github.com/features/ai/github-app
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
View all resourceshttps://github.com/resources
GitHub SponsorsFund open source developershttps://github.com/open-source/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/open-source/accelerator
GitHub Starshttps://stars.github.com
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/enterprise/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fmodelcontextprotocol%2Fpython-sdk%2Fpull%2F2676%2Ffiles
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fpull_requests%2Fshow%2Ffiles&source=header-repo&source_repo=modelcontextprotocol%2Fpython-sdk
Reloadhttps://github.com/modelcontextprotocol/python-sdk/pull/2676/files
Reloadhttps://github.com/modelcontextprotocol/python-sdk/pull/2676/files
Reloadhttps://github.com/modelcontextprotocol/python-sdk/pull/2676/files
Please reload this pagehttps://github.com/modelcontextprotocol/python-sdk/pull/2676/files
modelcontextprotocol https://github.com/modelcontextprotocol
python-sdkhttps://github.com/modelcontextprotocol/python-sdk
Notifications https://github.com/login?return_to=%2Fmodelcontextprotocol%2Fpython-sdk
Fork 3.7k https://github.com/login?return_to=%2Fmodelcontextprotocol%2Fpython-sdk
Star 23.6k https://github.com/login?return_to=%2Fmodelcontextprotocol%2Fpython-sdk
Code https://github.com/modelcontextprotocol/python-sdk
Issues 254 https://github.com/modelcontextprotocol/python-sdk/issues
Pull requests 290 https://github.com/modelcontextprotocol/python-sdk/pulls
Actions https://github.com/modelcontextprotocol/python-sdk/actions
Projects https://github.com/modelcontextprotocol/python-sdk/projects
Models https://github.com/modelcontextprotocol/python-sdk/models
Security and quality 6 https://github.com/modelcontextprotocol/python-sdk/security
Insights https://github.com/modelcontextprotocol/python-sdk/pulse
Code https://github.com/modelcontextprotocol/python-sdk
Issues https://github.com/modelcontextprotocol/python-sdk/issues
Pull requests https://github.com/modelcontextprotocol/python-sdk/pulls
Actions https://github.com/modelcontextprotocol/python-sdk/actions
Projects https://github.com/modelcontextprotocol/python-sdk/projects
Models https://github.com/modelcontextprotocol/python-sdk/models
Security and quality https://github.com/modelcontextprotocol/python-sdk/security
Insights https://github.com/modelcontextprotocol/python-sdk/pulse
Sign up for GitHub https://github.com/signup?return_to=%2Fmodelcontextprotocol%2Fpython-sdk%2Fissues%2Fnew%2Fchoose
terms of servicehttps://docs.github.com/terms
privacy statementhttps://docs.github.com/privacy
Sign inhttps://github.com/login?return_to=%2Fmodelcontextprotocol%2Fpython-sdk%2Fissues%2Fnew%2Fchoose
dogacancolakhttps://github.com/dogacancolak
modelcontextprotocol:mainhttps://github.com/modelcontextprotocol/python-sdk/tree/main
dogacancolak:dc/mcp-python-sdk/scope-accumulation-step-uphttps://github.com/dogacancolak/mcp-python-sdk/tree/dc/mcp-python-sdk/scope-accumulation-step-up
Conversation 1 https://github.com/modelcontextprotocol/python-sdk/pull/2676
Commits 3 https://github.com/modelcontextprotocol/python-sdk/pull/2676/commits
Checks 27 https://github.com/modelcontextprotocol/python-sdk/pull/2676/checks
Files changed 3 https://github.com/modelcontextprotocol/python-sdk/pull/2676/files
SEP-2350: accumulate scopes on step-up auth https://github.com/modelcontextprotocol/python-sdk/pull/2676/files#top
Show all changes 3 commits https://github.com/modelcontextprotocol/python-sdk/pull/2676/files
61635c6 auth: add union_scopes helper for OAuth scope strings dogacancolak May 24, 2026 https://github.com/modelcontextprotocol/python-sdk/pull/2676/commits/61635c668c6f8cf31565b05000d59d524c0e79be
c231be9 auth: union scopes on 403 step-up (SEP-2350) dogacancolak May 24, 2026 https://github.com/modelcontextprotocol/python-sdk/pull/2676/commits/c231be995194177dfcb87b7a5fc265490386991a
a4bdbde auth: test union_scopes and step-up authorization flow dogacancolak May 24, 2026 https://github.com/modelcontextprotocol/python-sdk/pull/2676/commits/a4bdbde65d492219a2ec08b667a09a24d9137e87
Clear filters https://github.com/modelcontextprotocol/python-sdk/pull/2676/files
Please reload this pagehttps://github.com/modelcontextprotocol/python-sdk/pull/2676/files
Please reload this pagehttps://github.com/modelcontextprotocol/python-sdk/pull/2676/files
oauth2.py https://github.com/modelcontextprotocol/python-sdk/pull/2676/files#diff-b7aaf2062da175cea9a532176d6eb78b659eaadb757cc48929f0bafccfdb8d98
utils.py https://github.com/modelcontextprotocol/python-sdk/pull/2676/files#diff-1aed3def34492fb7eafa6e7aee6e9cc9973171b28c9574dc5c5b288a09878996
test_auth.py https://github.com/modelcontextprotocol/python-sdk/pull/2676/files#diff-f083d075f463e8b1ecfa6b931c33288c3d09b00ee3af3e5f74df16b7e75c3ab1
src/mcp/client/auth/oauth2.pyhttps://github.com/modelcontextprotocol/python-sdk/pull/2676/files#diff-b7aaf2062da175cea9a532176d6eb78b659eaadb757cc48929f0bafccfdb8d98
View file https://github.com/modelcontextprotocol/python-sdk/blob/a4bdbde65d492219a2ec08b667a09a24d9137e87/src/mcp/client/auth/oauth2.py
Open in desktop https://desktop.github.com
https://github.co/hiddenchars
https://github.com/modelcontextprotocol/python-sdk/pull/2676/{{ revealButtonHref }}
https://github.com/modelcontextprotocol/python-sdk/pull/2676/files#diff-b7aaf2062da175cea9a532176d6eb78b659eaadb757cc48929f0bafccfdb8d98
https://github.com/modelcontextprotocol/python-sdk/pull/2676/files#diff-b7aaf2062da175cea9a532176d6eb78b659eaadb757cc48929f0bafccfdb8d98
https://github.com/modelcontextprotocol/python-sdk/pull/2676/files#diff-b7aaf2062da175cea9a532176d6eb78b659eaadb757cc48929f0bafccfdb8d98
https://github.com/modelcontextprotocol/python-sdk/pull/2676/files#diff-b7aaf2062da175cea9a532176d6eb78b659eaadb757cc48929f0bafccfdb8d98
src/mcp/client/auth/utils.pyhttps://github.com/modelcontextprotocol/python-sdk/pull/2676/files#diff-1aed3def34492fb7eafa6e7aee6e9cc9973171b28c9574dc5c5b288a09878996
View file https://github.com/modelcontextprotocol/python-sdk/blob/a4bdbde65d492219a2ec08b667a09a24d9137e87/src/mcp/client/auth/utils.py
Open in desktop https://desktop.github.com
https://github.co/hiddenchars
https://github.com/modelcontextprotocol/python-sdk/pull/2676/{{ revealButtonHref }}
https://github.com/modelcontextprotocol/python-sdk/pull/2676/files#diff-1aed3def34492fb7eafa6e7aee6e9cc9973171b28c9574dc5c5b288a09878996
https://github.com/modelcontextprotocol/python-sdk/pull/2676/files#diff-1aed3def34492fb7eafa6e7aee6e9cc9973171b28c9574dc5c5b288a09878996
Please reload this pagehttps://github.com/modelcontextprotocol/python-sdk/pull/2676/files
Please reload this pagehttps://github.com/modelcontextprotocol/python-sdk/pull/2676/files
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width


URLs of crawlers that visited me.