From aa2a2a9c661a58767a5a951d5042dff532d299b3 Mon Sep 17 00:00:00 2001
From: Lovish Arora <46993225+lavish0000@users.noreply.github.com>
Date: Thu, 5 Mar 2026 23:27:08 +0100
Subject: [PATCH 1/2] fix: allow client scopes when no scope restriction is set

---
 src/mcp/shared/auth.py    |  4 +++-
 tests/shared/test_auth.py | 24 +++++++++++++++++++++++-
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/src/mcp/shared/auth.py b/src/mcp/shared/auth.py
index ca5b7b45a..524ca287a 100644
--- a/src/mcp/shared/auth.py
+++ b/src/mcp/shared/auth.py
@@ -71,7 +71,9 @@ def validate_scope(self, requested_scope: str | None) -> list[str] | None:
         if requested_scope is None:
             return None
         requested_scopes = requested_scope.split(" ")
-        allowed_scopes = [] if self.scope is None else self.scope.split(" ")
+        if self.scope is None:
+            return requested_scopes
+        allowed_scopes = self.scope.split(" ")
         for scope in requested_scopes:
             if scope not in allowed_scopes:  # pragma: no branch
                 raise InvalidScopeError(f"Client was not registered with scope {scope}")
diff --git a/tests/shared/test_auth.py b/tests/shared/test_auth.py
index cd3c35332..5c1796e65 100644
--- a/tests/shared/test_auth.py
+++ b/tests/shared/test_auth.py
@@ -1,6 +1,9 @@
 """Tests for OAuth 2.0 shared code."""
 
-from mcp.shared.auth import OAuthMetadata
+import pytest
+from pydantic import AnyUrl
+
+from mcp.shared.auth import InvalidScopeError, OAuthClientMetadata, OAuthMetadata
 
 
 def test_oauth():
@@ -58,3 +61,22 @@ def test_oauth_with_jarm():
             "token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"],
         }
     )
+
+
+def test_validate_scope_allows_requested_scopes_when_client_scope_is_none():
+    metadata = OAuthClientMetadata(
+        redirect_uris=[AnyUrl("https://client.example.com/callback")],
+        scope=None,
+    )
+
+    assert metadata.validate_scope("read write") == ["read", "write"]
+
+
+def test_validate_scope_rejects_scope_not_registered_with_client():
+    metadata = OAuthClientMetadata(
+        redirect_uris=[AnyUrl("https://client.example.com/callback")],
+        scope="read write",
+    )
+
+    with pytest.raises(InvalidScopeError, match="profile"):
+        metadata.validate_scope("read profile")

From dd73a15462df5e1fc4e9595b141d6521f2f45220 Mon Sep 17 00:00:00 2001
From: Lovish Arora <46993225+lavish0000@users.noreply.github.com>
Date: Fri, 6 Mar 2026 06:47:26 +0100
Subject: [PATCH 2/2] chore: retrigger flaky CI