[BUG] Claude Code MCP client ignores scopes_supported from OAuth protected resource metadata, preventing refresh token issuance

[phernandez]

Preflight Checklist

• I have searched existing issues and this hasn't been reported yet
• This is a single bug report (please file separate reports for different bugs)
• I am using the latest version of Claude Code

What's Wrong?

Claude Code's MCP client fails to include OAuth scopes in authorization requests, even when the MCP server correctly provides scopes_supported in the OAuth protected resource metadata. This results in authorization requests without the offline_access scope, preventing refresh token issuance and causing authentication timeouts every 5 minutes.

What Should Happen?

Expected Behavior:

1. Claude Code should read scopes_supported from the MCP server's /.well-known/oauth-protected-resource endpoint
2. Include those scopes in OAuth authorization requests
3. Receive refresh tokens when offline_access scope is supported
4. Automatically refresh tokens to maintain persistent authentication

Error Messages/Logs

Debug Logs:
  [DEBUG] MCP server "basic-memory": Fetched OAuth metadata with scope: NONE
  [DEBUG] MCP server "basic-memory": Scopes in URL: NOT FOUND
  [DEBUG] MCP server "basic-memory": No scopes available from URL or metadata
  [DEBUG] MCP server "basic-memory": ERROR: No scopes stored to add to token request!
  [DEBUG] MCP server "basic-memory": Has refresh token: false
  [DEBUG] MCP server "basic-memory": Token expires in: 300

Steps to Reproduce

Actual Behavior:

1. Claude Code fetches OAuth metadata but logs "Fetched OAuth metadata with scope: NONE"
2. Authorization URLs are generated without any scope parameter
3. OAuth authorization requests exclude the offline_access scope
4. No refresh tokens are issued, causing re-authentication every 5 minutes

Reproduction Steps:

1. Set up an MCP server with OAuth using WorkOS AuthKit (or similar provider)
2. Configure the server to return scopes_supported: ["openid", "profile", "email", "offline_access"] in /.well-known/oauth-protected-resource
3. Connect to the MCP server via Claude Code with debug logging enabled
4. Observe the authorization URL in debug logs - it will be missing the scope parameter

Correct OAuth Protected Resource Metadata:
{
"resource": "https://mcp.basicmemory.com/mcp",
"authorization_servers": ["https://eloquent-lotus-05.authkit.app/"],
"scopes_supported": ["openid", "profile", "email", "offline_access"],
"bearer_methods_supported": ["header"]
}

Environment:

• Claude Code version: 1.0.117
• Platform: macOS (also affects other platforms)
• MCP server: WorkOS AuthKit with Dynamic Client Registration

Impact:

• High: Prevents extended MCP usage sessions
• Users must manually re-authenticate every 5 minutes
• Makes MCP servers with OAuth authentication practically unusable for development work

Comparison with Other Claude Clients:

• Claude Desktop, Web, and Mobile handle OAuth refresh tokens correctly with the same MCP server
• Only Claude Code exhibits this issue, suggesting a client-specific OAuth implementation problem

Technical Details:
The issue appears to be in Claude Code's MCP OAuth client implementation where it's not properly parsing or using the scopes_supported field from the OAuth
protected resource metadata when constructing authorization requests.

Workaround:
None available. Users must manually re-authenticate every 5 minutes.

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

No response

Claude Code Version

Claude Code v1.0.117

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

PyCharm terminal

Additional Information

No response

[github-actions]

Found 3 possible duplicate issues:

1. [BUG] Missing scope Parameter in Dynamic Client Registration and Authorization Requests #4540
2. Missing Token Refresh Mechanism for MCP Server Integrations #5706
3. Claude OAuth requires dynamic client registration, making Azure AD/Entra ID integration complex #2527

This issue will be automatically closed as a duplicate in 3 days.

• If your issue is a duplicate, please close it and 👍 the existing issue instead
• To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

[github-actions]

This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.

[cbcoutinho]

This is still an issue