Add --remote-auth-scope-param-name for non-standard OAuth scope parameters#4712
Merged
peppescg merged 3 commits intostacklok:mainfrom Apr 14, 2026
Merged
Conversation
gmogmzGithub
requested review from
ChrisJBurns,
JAORMX,
amirejaz,
jhrozek,
lujunsan,
rdimitrov and
yrobla
as code owners
gmogmzGithub
force-pushed
the
fix/slack-oauth-user-scope
branch
from
1feeca8 to
141b5cf
Compare
github-actions
bot
added
size/S
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4712 +/- ##
==========================================
+ Coverage 68.98% 68.99% +0.01%
==========================================
Files 518 518
Lines 54985 55000 +15
==========================================
+ Hits 37932 37949 +17
+ Misses 14125 14124 -1
+ Partials 2928 2927 -1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
gmogmzGithub
force-pushed
the
fix/slack-oauth-user-scope
branch
3 times, most recently
from
6506bb2 to
849326a
Compare
jhrozek
reviewed
Apr 13, 2026
Contributor
jhrozek
left a comment
jhrozek
left a comment
There was a problem hiding this comment.
Review from 4 specialized agents (oauth-expert, go-security-reviewer, code-reviewer, go-expert-developer). 3 inline comments.
jhrozek
approved these changes
Apr 14, 2026
Contributor
jhrozek
left a comment
jhrozek
left a comment
There was a problem hiding this comment.
Looks good — all the substantive feedback has been addressed cleanly. The nil-out-and-restore approach for scope removal is correct, and the OIDC discovery path now properly propagates ScopeParamName.
Generated with Claude Code
gmogmzGithub
force-pushed
the
fix/slack-oauth-user-scope
branch
from
ff67ef5 to
41ba489
Compare
jhrozek
previously approved these changes
Apr 14, 2026
github-actions
bot
added
size/S
…parameters Some OAuth providers use non-standard query parameter names for scopes in the authorization URL. For example, Slack's OAuth v2 requires user-token scopes in "user_scope" instead of the standard "scope" parameter. This causes ToolHive's OAuth flow to fail with invalid_scope errors when connecting to providers like Slack's MCP server. Add a new --remote-auth-scope-param-name flag that allows users to override the query parameter name used for scopes. When set, scopes are sent under the specified parameter name and the standard "scope" parameter is cleared. The oauth2Config.Scopes field is preserved so token refresh requests continue to work correctly. Signed-off-by: Gustavo Gomez <gmogmz@indeed.com>
- Replace SetAuthURLParam("scope", "") with temporarily nil-ing
oauth2Config.Scopes before AuthCodeURL, then restoring via defer.
This omits the scope parameter entirely instead of producing an
invalid empty scope= (RFC 6749 §3.3).
- Propagate ScopeParamName on the OIDC discovery fallback path in
createOAuthConfig, so --remote-auth-scope-param-name works with
--remote-auth-issuer as well.
- Strengthen test assertion to verify scope parameter is truly absent,
not just empty-valued.
Signed-off-by: Gustavo Gomez <gmogmz@indeed.com>
Signed-off-by: Gustavo Gomez <gmogmz@indeed.com>
gmogmzGithub
force-pushed
the
fix/slack-oauth-user-scope
branch
from
ccc4b92 to
4782cd3
Compare
github-actions
bot
added
size/S
jhrozek
approved these changes
Apr 14, 2026
github-actions
bot
added
size/S
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--remote-auth-scope-param-nameCLI flag to override the query parameter name used for scopes in the OAuth authorization URLuser_scope), scopes are sent under the custom parameter name and the standardscope=is clearedoauth2Config.Scopesis preserved so token refresh continues to work correctlyMotivation
Slack's OAuth v2 requires user-token scopes in
user_scope=instead of the standardscope=parameter. When ToolHive connects tohttps://mcp.slack.com/mcp, its OAuth discovery correctly finds thev2_user/authorizeendpoint and the 15 supported scopes, but Go'soauth2library always places scopes inscope=. Slack rejects this withinvalid_scope.This flag closes the gap so ToolHive can authenticate with providers that use non-standard scope parameter names.
Example usage for Slack MCP
Changes
pkg/auth/oauth/flow.goScopeParamNamefield onConfig;buildAuthURLoverride logicpkg/auth/oauth/manual.goscopeParamNameparameterpkg/auth/discovery/discovery.goScopeParamNameonOAuthFlowConfigpkg/auth/remote/config.goScopeParamNamefield with JSON/YAML tagspkg/auth/remote/handler.goScopeParamNameto flow configcmd/thv/app/auth_flags.go--remote-auth-scope-param-nameflagcmd/thv/app/run_flags.gocmd/thv/app/proxy.go