Removing the duplicate logic

Nayana-Parameswarappa · Nayana-Parameswarappa · commit 26362691134a · 2025-11-19T21:25:31.000-08:00
diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
@@ -16,7 +16,7 @@ import {
     isHttpsUrl
 } from './auth.js';
 import { InvalidClientMetadataError, ServerError } from '../server/auth/errors.js';
-import { AuthorizationServerMetadata, OAuthClientMetadata } from '../shared/auth.js';
+import { AuthorizationServerMetadata } from '../shared/auth.js';
 import { expect, vi, type Mock } from 'vitest';
 
 // Mock pkce-challenge
@@ -1553,17 +1553,14 @@ describe('OAuth Authorization', () => {
     });
 
     describe('auth function', () => {
-        let clientMetadataScope: string | undefined = undefined;
-
         const mockProvider: OAuthClientProvider = {
             get redirectUrl() {
                 return 'http://localhost:3000/callback';
             },
             get clientMetadata() {
                 return {
                     redirect_uris: ['http://localhost:3000/callback'],
-                    client_name: 'Test Client',
-                    scope: clientMetadataScope
+                    client_name: 'Test Client'
                 };
             },
             clientInformation: vi.fn(),
@@ -2473,91 +2470,6 @@ describe('OAuth Authorization', () => {
             // Verify custom fetch was called for AS metadata discovery
             expect(customFetch.mock.calls[1][0].toString()).toBe('https://auth.example.com/.well-known/oauth-authorization-server');
         });
-
-        it('prioritizes provided scope over resourceMetadata.scope', async () => {
-            const providedScope = 'provided_scope';
-            (mockProvider.clientMetadata as OAuthClientMetadata).scope = 'client_metadata_scope';
-
-            mockFetch.mockImplementation(url => {
-                if (url.toString().includes('/.well-known/oauth-protected-resource')) {
-                    return Promise.resolve({
-                        ok: true,
-                        status: 200,
-                        json: async () => ({
-                            resource: 'https://api.example.com/mcp-server',
-                            scopes_supported: ['read', 'write'],
-                            authorization_servers: ['https://auth.example.com']
-                        })
-                    });
-                }
-                return Promise.resolve({ ok: false, status: 404 });
-            });
-
-            await auth(mockProvider, {
-                serverUrl: 'https://api.example.com/mcp-server',
-                scope: providedScope
-            });
-
-            const redirectCall = (mockProvider.redirectToAuthorization as Mock).mock.calls[0];
-            const authUrl: URL = redirectCall[0];
-            expect(authUrl.searchParams.get('scope')).toBe(providedScope);
-        });
-
-        it('uses resourceMetadata.scope when provided scope is missing', async () => {
-            const resourceScope = 'resource_metadata_scope';
-            (mockProvider.clientMetadata as OAuthClientMetadata).scope = 'client_metadata_scope';
-
-            mockFetch.mockImplementation(url => {
-                if (url.toString().includes('/.well-known/oauth-protected-resource')) {
-                    return Promise.resolve({
-                        ok: true,
-                        status: 200,
-                        json: async () => ({
-                            resource: 'https://api.example.com/mcp-server',
-                            scopes_supported: ['resource_metadata_scope'],
-                            authorization_servers: ['https://auth.example.com']
-                        })
-                    });
-                }
-                return Promise.resolve({ ok: false, status: 404 });
-            });
-
-            await auth(mockProvider, {
-                serverUrl: 'https://api.example.com/mcp-server'
-            });
-
-            const redirectCall = (mockProvider.redirectToAuthorization as Mock).mock.calls[0];
-            const authUrl: URL = redirectCall[0];
-            expect(authUrl.searchParams.get('scope')).toBe(resourceScope);
-        });
-
-        it('falls back to clientMetadata.scope when provided and resourceMetadata scopes are missing', async () => {
-            const expectedScope = 'client_metadata_scope';
-            clientMetadataScope = expectedScope;
-
-            mockFetch.mockImplementation(url => {
-                if (url.toString().includes('/.well-known/oauth-protected-resource')) {
-                    return Promise.resolve({
-                        ok: true,
-                        status: 200,
-                        json: async () => ({
-                            resource: 'https://api.example.com/mcp-server',
-                            resource_metadata_scope: [],
-                            authorization_servers: ['https://auth.example.com']
-                        })
-                    });
-                }
-                return Promise.resolve({ ok: false, status: 404 });
-            });
-
-            await auth(mockProvider, {
-                serverUrl: 'https://api.example.com/mcp-server'
-            });
-
-            const redirectCall = (mockProvider.redirectToAuthorization as Mock).mock.calls[0];
-            const authUrl: URL = redirectCall[0];
-            expect(authUrl.searchParams.get('scope')).toBe(clientMetadataScope);
-        });
     });
 
     describe('exchangeAuthorization with multiple client authentication methods', () => {
diff --git a/src/client/auth.ts b/src/client/auth.ts
@@ -473,7 +473,7 @@ async function authInternal(
         clientInformation,
         state,
         redirectUrl: provider.redirectUrl,
-        scope: selectScope(provider, resourceMetadata, scope),
+        scope: scope || resourceMetadata?.scopes_supported?.join(' ') || provider.clientMetadata.scope,
         resource
     });
 
@@ -483,30 +483,6 @@ async function authInternal(
 }
 
 /**
- * Selects the appropriate OAuth scope to use.
- *
- * The priority order is:
- * 1.  The provided `scope` argument (if available). The scope is usually provided by WWW-authenticate header.
- * 2.  Protected Resource Metadata scope (if available)
- * 3.  The `OAuthClientProvider.clientMetadata.scope` (if available)
- */
-export function selectScope(
-    provider: OAuthClientProvider,
-    resourceMetadata?: OAuthProtectedResourceMetadata,
-    scope?: string
-): string | undefined {
-    if (scope) {
-        return scope;
-    }
-
-    const scopes = resourceMetadata?.scopes_supported;
-    if (scopes && scopes.length > 0) {
-        return scopes.join(' ');
-    }
-
-    return provider.clientMetadata.scope;
- }
-
  * SEP-991: URL-based Client IDs
  * Validate that the client_id is a valid URL with https scheme
  */
