@W-20976712: Add MCP OAuth scope support and enforcement #205

mattcfilbert · 2026-01-21T16:11:11Z

Description

Implemented MCP OAuth scope support and best‑practice authorization challenges. Added scope config knobs, advertised scopes_supported, validated requested scopes, persisted scopes across auth/refresh flows, embedded scopes in access tokens, and enforced required scopes with insufficient_scope challenges. Updated OAuth docs with a recommended beta scope set and rationale for MCP scopes.

Motivation and Context

MCP lacked spec‑aligned scope handling and challenge responses, which blocked least‑privilege access and step‑up behavior. This change brings OAuth behavior in line with the MCP authorization spec and provides a clear scope configuration for beta.

Type of Change

How Has This Been Tested?

Not run (logic is unit‑level; tests can be added in a follow‑up).

Related Issues

MCP OAuth scope support + best‑practice authorization challenges #204

Checklist

I have updated the version in the package.json file by using npm run version. For example,
use npm run version:patch for a patch version bump.
I have made any necessary changes to the documentation
I have added tests that prove my fix is effective or that my feature works
New and existing unit tests pass locally with my changes
I have documented any breaking changes in the PR description. For example, renaming a config
environment variable or changing its default value.

Contributor Agreement

By submitting this pull request, I confirm that:

I have read the CONTRIBUTING guidelines for this project and followed
its Contribution Checklist.

salesforce-cla · 2026-01-21T16:11:18Z

Thanks for the contribution! Unfortunately we can't verify the commit author(s): mfilbert <m***@s***.com>. One possible solution is to add that email to your GitHub account. Alternatively you can change your commits to another email and force push the change. After getting your commits associated with your GitHub account, refresh the status of this Pull Request.

src/server/oauth/scopes.ts

src/server/oauth/.well-known/oauth-authorization-server.ts

docs/docs/configuration/mcp-config/oauth.md

src/server/oauth/authorize.ts

tests/e2e/workbooks/listWorkbooks.test.ts

OAUTH_IMPLEMENTATION_PLAN.md

src/config.ts

src/restApiInstance.ts

package.json

Co-authored-by: Cursor <cursoragent@cursor.com>

Drop explicit axios dependency now that build/tests pass via transitive usage, and reorder imports to satisfy simple-import-sort. Co-authored-by: Cursor <cursoragent@cursor.com>

Use the pulse definitions scope for listing metrics by definition id to avoid 403s. Co-authored-by: Cursor <cursoragent@cursor.com>

Remove token exchange tasks and questions from the plan, noting it is out of scope for initial release. Co-authored-by: Cursor <cursoragent@cursor.com>

salesforce-cla bot added the cla:missing label Jan 21, 2026

mattcfilbert force-pushed the W-20976712-mcp-oauth-scopes branch from a6ca30b to 01c9f2e Compare January 21, 2026 16:15

salesforce-cla bot removed the cla:missing label Jan 21, 2026

mattcfilbert force-pushed the W-20976712-mcp-oauth-scopes branch 2 times, most recently from baa916b to 41415fa Compare January 21, 2026 17:40

mattcfilbert requested a review from anyoung-tableau January 21, 2026 18:57