Title: Union previously requested scopes on step-up re-authorization (SEP-2350) by Kludex · Pull Request #2931 · modelcontextprotocol/python-sdk · GitHub
Open Graph Title: Union previously requested scopes on step-up re-authorization (SEP-2350) by Kludex · Pull Request #2931 · modelcontextprotocol/python-sdk
X Title: Union previously requested scopes on step-up re-authorization (SEP-2350) by Kludex · Pull Request #2931 · modelcontextprotocol/python-sdk
Description: Implements SEP-2350 (the fourth client-side item of #2902): union previously requested scopes on step-up re-authorization. What changed When a 403 insufficient_scope challenge triggers step-up re-authorization, the OAuth client previously replaced client_metadata.scope with only the newly challenged scopes, dropping the scopes granted for earlier operations. It now requests the union of the previously requested scopes and the challenged scopes. Per the spec: "Scope accumulation across operations is a client-side responsibility. Clients SHOULD compute the union of previously requested scopes and newly challenged scopes when initiating re-authorization." This lets servers stay stateless about client scope sets while clients keep their permissions. New union_scopes(previous, new) helper in utils.py — order-preserving, deduped. Unions at the 403 step-up call site in oauth2.py. Conformance Flips auth/scope-step-up green on the default leg: sep-2350-scope-union-on-reauth now reports SUCCESS (21/21). No baseline edits were needed: Default leg: scope-step-up was already removed from expected-failures.yml by #2927 (for the alpha.5 harness), so it was an unexpected failure on the pinned alpha.4 harness. It now passes, so the default leg is green again - this also resolves the pre-existing failure I flagged in #2930. 2026-07-28 leg: scope-step-up stays baselined there - it still fails for an unrelated reason ("client did not make an initial authorization request", the documented 2026 connection-lifecycle gap in client.py), not on the SEP-2350 check. Both legs pass with no stale or unexpected entries. AI Disclaimer This PR was developed with the assistance of either Claude or Codex. I've reviewed and verified the changes.
Open Graph Description: Implements SEP-2350 (the fourth client-side item of #2902): union previously requested scopes on step-up re-authorization. What changed When a 403 insufficient_scope challenge triggers step-up re-a...
X Description: Implements SEP-2350 (the fourth client-side item of #2902): union previously requested scopes on step-up re-authorization. What changed When a 403 insufficient_scope challenge triggers step-up re-a...
Opengraph URL: https://github.com/modelcontextprotocol/python-sdk/pull/2931
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:1ed262a5-95f1-4557-4827-aa94fa799f02 |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | 97A6:196F0D:DF73A2:1417BEE:6A5A0B46 |
| html-safe-nonce | 96232e84265de23542694190002e6768de6beb954f40ff8b640b3ea8fb293455 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI5N0E2OjE5NkYwRDpERjczQTI6MTQxN0JFRTo2QTVBMEI0NiIsInZpc2l0b3JfaWQiOiIzNTY2OTAyNzg1NTcxNjg3MjM4IiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | dc37aa7fe0684d41ab0496d77fb78dab2692ef6fff2db40b64cac652bf4dd7ca |
| hovercard-subject-tag | pull_request:3904362737 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/modelcontextprotocol/python-sdk/pull/2931/files |
| twitter:image | https://avatars.githubusercontent.com/u/7353520?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/u/7353520?s=400&v=4 |
| og:image:alt | Implements SEP-2350 (the fourth client-side item of #2902): union previously requested scopes on step-up re-authorization. What changed When a 403 insufficient_scope challenge triggers step-up re-a... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 8c2fe7351e4e987cb8f75e2425a0b895d807779bc4c2d3c312be0a54082219f7 |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/modelcontextprotocol/python-sdk git https://github.com/modelcontextprotocol/python-sdk.git |
| octolytics-dimension-user_id | 182288589 |
| octolytics-dimension-user_login | modelcontextprotocol |
| octolytics-dimension-repository_id | 862584018 |
| octolytics-dimension-repository_nwo | modelcontextprotocol/python-sdk |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 862584018 |
| octolytics-dimension-repository_network_root_nwo | modelcontextprotocol/python-sdk |
| turbo-body-classes | logged-out env-production page-responsive full-width |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 491710c7a8eecca9d0a06bd157646f2685d8c87b |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width