fix(client): preserve accumulated OAuth scope on 401 reauth

Author: rechedev9

packages/client/src/client/auth.ts

@@ -46,6 +46,8 @@ export interface UnauthorizedContext {
     serverUrl: URL;
     /** Fetch function configured with the transport's `requestInit`, for making auth requests. */
     fetchFn: FetchLike;
+    /** The merged scope accumulated across prior 401/403 challenges, when available. */
+    accumulatedScope?: string;
 }
 
 /**
@@ -105,7 +107,7 @@ export async function handleOAuthUnauthorized(provider: OAuthClientProvider, ctx
     const result = await auth(provider, {
         serverUrl: ctx.serverUrl,
         resourceMetadataUrl,
-        scope,
+        scope: ctx.accumulatedScope ?? scope,
         fetchFn: ctx.fetchFn
     });
     if (result !== 'AUTHORIZED') {

packages/client/src/client/sse.ts

@@ -160,7 +160,9 @@ export class SSEClientTransport implements Transport {
                         const response = this._last401Response;
                         this._last401Response = undefined;
                         this._eventSource?.close();
-                        this._authProvider.onUnauthorized({ response, serverUrl: this._url, fetchFn: this._fetchWithInit }).then(
+                        this._authProvider
+                            .onUnauthorized({ response, serverUrl: this._url, fetchFn: this._fetchWithInit, accumulatedScope: this._scope })
+                            .then(
                             // onUnauthorized succeeded → retry fresh. Its onerror handles its own onerror?.() + reject.
                             () => this._startOrAuth().then(resolve, reject),
                             // onUnauthorized failed → not yet reported.
@@ -289,7 +291,8 @@ export class SSEClientTransport implements Transport {
                         await this._authProvider.onUnauthorized({
                             response,
                             serverUrl: this._url,
-                            fetchFn: this._fetchWithInit
+                            fetchFn: this._fetchWithInit,
+                            accumulatedScope: this._scope
                         });
                         await response.text?.().catch(() => {});
                         // Purposely _not_ awaited, so we don't call onerror twice

packages/client/src/client/streamableHttp.ts

@@ -232,7 +232,8 @@ export class StreamableHTTPClientTransport implements Transport {
                         await this._authProvider.onUnauthorized({
                             response,
                             serverUrl: this._url,
-                            fetchFn: this._fetchWithInit
+                            fetchFn: this._fetchWithInit,
+                            accumulatedScope: this._scope
                         });
                         await response.text?.().catch(() => {});
                         // Purposely _not_ awaited, so we don't call onerror twice
@@ -527,7 +528,8 @@ export class StreamableHTTPClientTransport implements Transport {
                         await this._authProvider.onUnauthorized({
                             response,
                             serverUrl: this._url,
-                            fetchFn: this._fetchWithInit
+                            fetchFn: this._fetchWithInit,
+                            accumulatedScope: this._scope
                         });
                         await response.text?.().catch(() => {});
                         // Purposely _not_ awaited, so we don't call onerror twice

packages/client/test/client/auth.test.ts

@@ -13,6 +13,7 @@ import {
     discoverOAuthServerInfo,
     exchangeAuthorization,
     extractWWWAuthenticateParams,
+    handleOAuthUnauthorized,
     isHttpsUrl,
     refreshAuthorization,
     registerClient,
@@ -2059,6 +2060,66 @@ describe('OAuth Authorization', () => {
             vi.clearAllMocks();
         });
 
+        it('prefers accumulated scope when handling interactive 401 re-authorization', async () => {
+            mockFetch.mockImplementation(url => {
+                const urlString = url.toString();
+
+                if (urlString === 'https://api.example.com/.well-known/oauth-protected-resource') {
+                    return Promise.resolve({
+                        ok: true,
+                        status: 200,
+                        json: async () => ({
+                            resource: 'https://api.example.com/mcp-server',
+                            authorization_servers: ['https://auth.example.com']
+                        })
+                    });
+                }
+
+                if (urlString === 'https://auth.example.com/.well-known/oauth-authorization-server') {
+                    return Promise.resolve({
+                        ok: true,
+                        status: 200,
+                        json: async () => ({
+                            issuer: 'https://auth.example.com',
+                            authorization_endpoint: 'https://auth.example.com/authorize',
+                            token_endpoint: 'https://auth.example.com/token',
+                            response_types_supported: ['code'],
+                            code_challenge_methods_supported: ['S256']
+                        })
+                    });
+                }
+
+                return Promise.reject(new Error(`Unexpected fetch call: ${urlString}`));
+            });
+
+            vi.mocked(mockProvider.clientInformation).mockResolvedValue({
+                client_id: 'test-client',
+                client_secret: 'test-secret'
+            });
+            vi.mocked(mockProvider.tokens).mockResolvedValue(undefined);
+            vi.mocked(mockProvider.saveCodeVerifier).mockResolvedValue(undefined);
+            vi.mocked(mockProvider.redirectToAuthorization).mockResolvedValue(undefined);
+
+            await expect(
+                handleOAuthUnauthorized(mockProvider, {
+                    response: new Response(null, {
+                        status: 401,
+                        headers: {
+                            'WWW-Authenticate':
+                                'Bearer scope="read:op2", resource_metadata="https://api.example.com/.well-known/oauth-protected-resource"'
+                        }
+                    }),
+                    serverUrl: new URL('https://api.example.com/mcp-server'),
+                    fetchFn: mockFetch,
+                    accumulatedScope: 'read:op1 read:op2'
+                })
+            ).rejects.toThrow('Unauthorized');
+
+            const redirectCall = vi.mocked(mockProvider.redirectToAuthorization).mock.calls[0]?.[0];
+            expect(redirectCall).toBeInstanceOf(URL);
+            expect(redirectCall?.searchParams.get('scope')?.split(' ').toSorted()).toEqual(['read:op1', 'read:op2']);
+        });
+
         it('performs client_credentials with private_key_jwt when provider has addClientAuthentication', async () => {
             // Arrange: metadata discovery for PRM and AS
             mockFetch.mockImplementation(url => {

packages/client/test/client/streamableHttp.test.ts

@@ -2,7 +2,7 @@ import type { JSONRPCMessage, JSONRPCRequest } from '@modelcontextprotocol/core'
 import { OAuthError, OAuthErrorCode, SdkError, SdkErrorCode } from '@modelcontextprotocol/core';
 import type { Mock, Mocked, MockInstance } from 'vitest';
 
-import type { OAuthClientProvider } from '../../src/client/auth.js';
+import type { AuthProvider, OAuthClientProvider } from '../../src/client/auth.js';
 import { UnauthorizedError } from '../../src/client/auth.js';
 import type { StartSSEOptions, StreamableHTTPReconnectionOptions } from '../../src/client/streamableHttp.js';
 import { StreamableHTTPClientTransport } from '../../src/client/streamableHttp.js';
@@ -690,6 +690,42 @@ describe('StreamableHTTPClientTransport', () => {
         expect(mockAuthProvider.redirectToAuthorization.mock.calls).toHaveLength(1);
     });
 
+    it('passes accumulated scope to onUnauthorized for 401 retries', async () => {
+        const onUnauthorized = vi.fn().mockResolvedValue(undefined);
+        const authProvider: AuthProvider = {
+            token: vi.fn().mockResolvedValue(undefined),
+            onUnauthorized
+        };
+
+        transport = new StreamableHTTPClientTransport(new URL('http://localhost:1234/mcp'), {
+            authProvider
+        });
+
+        Reflect.set(transport, '_scope', 'read:op1');
+
+        const fetchMock = vi.mocked(globalThis.fetch);
+        fetchMock
+            .mockResolvedValueOnce(
+                new Response('Unauthorized', {
+                    status: 401,
+                    headers: {
+                        'WWW-Authenticate': 'Bearer scope="read:op2"'
+                    }
+                })
+            )
+            .mockResolvedValueOnce(new Response(null, { status: 202 }));
+
+        await transport.send({
+            jsonrpc: '2.0',
+            method: 'test',
+            params: {},
+            id: 'test-id'
+        });
+
+        const ctx = vi.mocked(onUnauthorized).mock.calls[0]?.[0];
+        expect(ctx?.accumulatedScope?.split(' ').toSorted()).toEqual(['read:op1', 'read:op2']);
+    });
+
     it('attempts upscoping on 403 with WWW-Authenticate header', async () => {
         const message: JSONRPCMessage = {
             jsonrpc: '2.0',