Change the approach to enable the scope by default if it is found during discovery. Still allow an admin to remove the scope if they want.

Author: jsourcebot

CHANGELOG.md

@@ -29,7 +29,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fixed issue where using multiple identity providers of the same type (e.g., gitlab) would result in unexpected behaviours. [#1177](https://github.com/sourcebot-dev/sourcebot/pull/1177)
 - Fixed a race condition where large repositories could be indexed twice within a single reindex interval. [#1298](https://github.com/sourcebot-dev/sourcebot/pull/1298)
 - Upgraded `shell-quote` to `^1.8.4`. [#1299](https://github.com/sourcebot-dev/sourcebot/pull/1299)
-- [EE] Fixed MCP OAuth connectors (e.g. Atlassian) rejecting the authorization request when `offline_access` was not explicitly enabled by an admin. `offline_access` is now always included in the requested scope and is enabled by default in the admin UI. [#1292](https://github.com/sourcebot-dev/sourcebot/pull/1292)
+- [EE] Fixed MCP OAuth connectors (e.g. Atlassian) rejecting the authorization request when `offline_access` was not explicitly enabled by an admin. The OAuth scopes dialog now pre-selects `offline_access` when the connector offers it; admins can still untick it to opt out of refresh tokens. [#1292](https://github.com/sourcebot-dev/sourcebot/pull/1292)
 
 ## [5.0.1] - 2026-06-04
 

docs/docs/features/ask/connectors.mdx

@@ -81,7 +81,7 @@ Changing connector scopes requires all users to re-authenticate with that connec
 </Warning>
 
 <Note>
-`offline_access` is enabled by default when offered by the connector. It is required for token refresh, so Sourcebot includes it regardless of whether an admin ticks the box.
+`offline_access` is pre-selected when offered by the connector because token refresh requires it. You can untick it to opt out of refresh tokens, but users will need to re-authenticate every time their access token expires. Some connectors (such as Atlassian) reject authorization entirely without it.
 </Note>
 
 ## Tool Permissions

packages/web/src/app/(app)/settings/workspaceAskAgent/workspaceAskAgentPage.tsx

@@ -27,7 +27,7 @@ import { ConnectMcpButton } from "@/ee/features/chat/mcp/components/connectMcpBu
 import { ConnectorCard } from "@/ee/features/chat/mcp/components/connectorCard";
 import { useMcpToolMetadata } from "@/ee/features/chat/mcp/hooks/useMcpToolMetadata";
 import { invalidateMcpConfigurationQueries, mcpQueryKeys } from "@/ee/features/chat/mcp/queryKeys";
-import { buildMcpOAuthScopeEntries, getMcpRequestedOAuthScopes, normalizeMcpRequestedOAuthScopes } from "@/ee/features/chat/mcp/oauthScopeUtils";
+import { buildMcpOAuthScopeEntries, getMcpRequestedOAuthScopes, normalizeMcpRequestedOAuthScopes, OFFLINE_ACCESS_SCOPE } from "@/ee/features/chat/mcp/oauthScopeUtils";
 import { pluralize } from "@/features/chat/mcp/utils";
 import { cn, isServiceError } from "@/lib/utils";
 import { useQuery, useQueryClient } from "@tanstack/react-query";
@@ -440,6 +440,13 @@ export function WorkspaceAskAgentPage({ callbackStatus, callbackServer, callback
         setCustomOAuthScopeInput("");
     };
 
+    // Pre-select offline_access so admins can see the scope token refresh depends on;
+    // they can still untick it to opt out of refresh tokens.
+    const initializeOAuthScopeSelection = (discoveredOAuthScopes: string[]) => {
+        setSelectedOAuthScopes(discoveredOAuthScopes.includes(OFFLINE_ACCESS_SCOPE) ? [OFFLINE_ACCESS_SCOPE] : []);
+        setCustomOAuthScopeInput("");
+    };
+
     const handleCloseClientCredentialsDialog = () => {
         setIsClientCredentialsDialogOpen(false);
         setPendingClientCredentialsServer(null);
@@ -572,7 +579,7 @@ export function WorkspaceAskAgentPage({ callbackStatus, callbackServer, callback
 
                 const discoveredOAuthScopes = normalizeMcpRequestedOAuthScopes(dcrSupport.oauthScopesSupported);
                 if (dcrSupport.isKnown && !dcrSupport.supportsDcr) {
-                    resetOAuthScopeInputs();
+                    initializeOAuthScopeSelection(discoveredOAuthScopes);
                     setPendingClientCredentialsServer({
                         name: displayName,
                         serverUrl: normalizedServerUrl,
@@ -584,7 +591,7 @@ export function WorkspaceAskAgentPage({ callbackStatus, callbackServer, callback
                 }
 
                 if (discoveredOAuthScopes.length > 0) {
-                    resetOAuthScopeInputs();
+                    initializeOAuthScopeSelection(discoveredOAuthScopes);
                     setPendingOAuthScopeSelectionServer({
                         name: displayName,
                         serverUrl: normalizedServerUrl,

packages/web/src/app/api/(server)/ee/askmcp/callback/route.test.ts

@@ -150,7 +150,7 @@ describe('GET /api/ee/askmcp/callback', () => {
         const state = createMcpOAuthState('state-1', '/settings/workspaceAskAgent');
         mocks.mcpAuth.mockImplementation(async (provider) => {
             expect('saveClientInformation' in provider).toBe(false);
-            expect(provider.clientMetadata.scope).toBe('offline_access repo');
+            expect(provider.clientMetadata.scope).toBe('repo');
             await provider.invalidateCredentials('all');
             const error = new Error('invalid_client client_secret=client-secret refresh_token=refresh-token');
             Object.assign(error, {

packages/web/src/app/api/(server)/ee/askmcp/connect/route.test.ts

@@ -148,7 +148,7 @@ describe('POST /api/ee/askmcp/connect', () => {
         mocks.mcpAuth.mockImplementation(async (provider, options) => {
             expect('saveClientInformation' in provider).toBe(true);
             expect(provider.saveClientInformation).toEqual(expect.any(Function));
-            expect(provider.clientMetadata.scope).toBe('offline_access repo');
+            expect(provider.clientMetadata.scope).toBe('repo');
             expect(options.fetchFn).toEqual(expect.any(Function));
 
             await provider.saveClientInformation({ client_id: 'client-1' });

packages/web/src/ee/features/chat/mcp/oauthScopeUtils.test.ts

@@ -31,28 +31,18 @@ describe('buildMcpOAuthScopeEntries', () => {
         ]);
     });
 
-    test('enables offline_access by default even when not in requestedOAuthScopes', () => {
+    test('does not special-case offline_access; it is enabled only when requested', () => {
         const entries = buildMcpOAuthScopeEntries({
-            availableOAuthScopes: ['offline_access', 'read', 'write'],
+            availableOAuthScopes: ['offline_access', 'read'],
             requestedOAuthScopes: [],
         });
 
         expect(entries).toEqual([
-            { scope: 'offline_access', enabled: true },
+            { scope: 'offline_access', enabled: false },
             { scope: 'read', enabled: false },
-            { scope: 'write', enabled: false },
         ]);
     });
 
-    test('does not add offline_access when it is absent from available scopes', () => {
-        const entries = buildMcpOAuthScopeEntries({
-            availableOAuthScopes: ['read', 'write'],
-            requestedOAuthScopes: [],
-        });
-
-        expect(entries.find((e) => e.scope === 'offline_access')).toBeUndefined();
-    });
-
     test('merges requested scopes not in available scopes into the output', () => {
         const entries = buildMcpOAuthScopeEntries({
             availableOAuthScopes: ['read'],

packages/web/src/ee/features/chat/mcp/oauthScopeUtils.ts

@@ -3,7 +3,9 @@ import type { McpServerOAuthScopeEntry } from './types';
 export const OAUTH_SCOPE_TOKEN_REGEX = /^[\x21\x23-\x5B\x5D-\x7E]+$/;
 
 // Required for the refresh_token grant that all clients declare. Providers such as
-// Atlassian only honour that grant when this scope is included in the authorization request.
+// Atlassian only honour that grant when this scope is included in the authorization request,
+// so the admin UI pre-selects it whenever the connector advertises it. Admins can still
+// untick it to opt out of refresh tokens.
 export const OFFLINE_ACCESS_SCOPE = 'offline_access';
 
 export function normalizeMcpRequestedOAuthScopes(oauthScopes: string[]): string[] {
@@ -54,8 +56,7 @@ export function buildMcpOAuthScopeEntries({
 
     return normalizedAvailableOAuthScopes.map((scope) => ({
         scope,
-        // Force-enabled regardless of admin selection — see OFFLINE_ACCESS_SCOPE.
-        enabled: scope === OFFLINE_ACCESS_SCOPE || requestedScopeSet.has(scope),
+        enabled: requestedScopeSet.has(scope),
     }));
 }
 

packages/web/src/ee/features/chat/mcp/prismaOAuthClientProvider.test.ts

@@ -79,26 +79,18 @@ describe('PrismaOAuthClientProvider modes', () => {
 });
 
 describe('PrismaOAuthClientProvider client metadata', () => {
-    test('always includes offline_access even when no scopes were requested', () => {
+    test('omits scope when no scopes were requested', () => {
         const provider = createProvider();
 
-        expect(provider.clientMetadata.scope).toBe('offline_access');
+        expect(provider.clientMetadata.scope).toBeUndefined();
     });
 
-    test('includes offline_access alongside normalized requested scopes', () => {
+    test('includes normalized requested scopes', () => {
         const provider = createProvider(createPrismaMock(), {
             requestedOAuthScopes: [' repo ', 'read:user', 'repo'],
         });
 
-        expect(provider.clientMetadata.scope).toBe('offline_access read:user repo');
-    });
-
-    test('does not duplicate offline_access when already present in requested scopes', () => {
-        const provider = createProvider(createPrismaMock(), {
-            requestedOAuthScopes: ['offline_access', 'read:user'],
-        });
-
-        expect(provider.clientMetadata.scope).toBe('offline_access read:user');
+        expect(provider.clientMetadata.scope).toBe('read:user repo');
     });
 });
 

packages/web/src/ee/features/chat/mcp/prismaOAuthClientProvider.ts

@@ -9,7 +9,7 @@ import { McpServerClientInfoSource, type PrismaClient } from '@sourcebot/db';
 import { encryptOAuthToken, decryptOAuthToken, createLogger } from '@sourcebot/shared';
 import { __unsafePrisma } from '@/prisma';
 import { createMcpOAuthState } from './mcpOAuthReturnTo';
-import { normalizeMcpRequestedOAuthScopes, OFFLINE_ACCESS_SCOPE } from './oauthScopeUtils';
+import { normalizeMcpRequestedOAuthScopes } from './oauthScopeUtils';
 
 type McpOAuthPrismaClient = Pick<PrismaClient, 'mcpServer' | 'userMcpServer'>;
 const logger = createLogger('mcp-oauth-client-provider');
@@ -113,14 +113,7 @@ export class PrismaOAuthClientProvider implements OAuthClientProvider {
     this.userId = userId;
     this.callbackUrl = callbackUrl;
     this.callbackReturnTo = callbackReturnTo;
-    // Always inject offline_access (see OFFLINE_ACCESS_SCOPE). We do so unconditionally rather
-    // than checking the provider's advertised scopes because oauthScopesSupported is not plumbed
-    // through to this constructor; the tradeoff (a benign unknown-scope rejection on strict
-    // providers) is the same as the existing behaviour of always declaring refresh_token.
-    this.requestedOAuthScopes = normalizeMcpRequestedOAuthScopes([
-        ...requestedOAuthScopes,
-        OFFLINE_ACCESS_SCOPE,
-    ]);
+    this.requestedOAuthScopes = normalizeMcpRequestedOAuthScopes(requestedOAuthScopes);
 
     if (allowClientRegistration) {
       this.saveClientInformation = async (info: OAuthClientInformation) => {