Support RFC 6750 Progressive Scope Authorization with WWW-Authenticate Header Parsing #1002
Description
MCP Inspector requests all available scopes after the first authorization failure, violating the principle of least privilege. RFC 6750 specifies that servers should indicate required scopes via the WWW-Authenticate header, allowing clients to request only what's needed.
Current Behaviour
The Inspector implements a two-tier approach:
- Connect with minimal scope: "read"
- Tool requires "write" -> Server returns 401/403
- Inspector requests ALL scopes: "read write admin delete"
Expected Behaviour
- Connect with minimal scope: "read"
- Tool requires "write" -> Server returns 401/403 with WWW-Authenticate: Bearer scope="write"
- Inspector requests accumulated scopes: "read write"
Current Implementation Gaps
Status Code Handling
- Handles 401 Unauthorized
- Does NOT handle 403 Forbidden (RFC 6750 compliant status for insufficient_scope)
Header Access:
- SDK error objects (SseError, StreamableHTTPError) don't expose response headers
- Headers ARE available in custom fetch functions (lines 534-570)
Proposed Solution
- Extend Status Code Detection
Handle both 401 and 403 (many OAuth servers use 401 for both cases)
- Capture Headers at Fetch Level
Intercept WWW-Authenticate headers in custom fetch functions before SDK processes responses
- Progressive Scope Accumulation
Parse stored header in handleAuthError to accumulate scopes
@cliffhall I would like to take a stab at implementing this in the next days - please give me the thumbs up and I'll get going.