Skip to content

Append offline_access to authorization scope when AS advertises it (SEP-2207) #1479

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Copilot wants to merge 3 commits into
base: main
Choose a base branch
from
+149 −1
Open

Append offline_access to authorization scope when AS advertises it (SEP-2207) #1479

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
97e817d
Initial plan
Copilot Mar 30, 2026
9cc6418
Add offline_access scope augmentation per SEP-2207
Copilot Mar 30, 2026
6a23554
Address review: PascalCase const, null-conditional pattern
Copilot Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions src/ModelContextProtocol.Core/Authentication/ClientOAuthProvider.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -492,6 +492,7 @@ private Uri BuildAuthorizationUrl(
}

var scope = GetScopeParameter(protectedResourceMetadata);
scope = AugmentScopeWithOfflineAccess(scope, authServerMetadata);
if (!string.IsNullOrEmpty(scope))
{
queryParamsDictionary["scope"] = scope!;
Expand Down Expand Up @@ -726,6 +727,37 @@ private async Task PerformDynamicClientRegistrationAsync(
return _configuredScopes;
}

/// <summary>
/// Augments the scope parameter with <c>offline_access</c> if the authorization server advertises it in
/// <c>scopes_supported</c> and it is not already present. This signals to OIDC-flavored authorization servers
/// that the client desires a refresh token, per SEP-2207.
/// </summary>
private static string? AugmentScopeWithOfflineAccess(string? scope, AuthorizationServerMetadata authServerMetadata)
{
const string offlineAccess = "offline_access";
Copy link
Copy Markdown
Contributor

@stephentoub stephentoub Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

consts should be PascalCased

Copy link
Copy Markdown
Contributor Author

Copilot AI Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 6a23554 — renamed to OfflineAccess.


if (authServerMetadata.ScopesSupported is null || !authServerMetadata.ScopesSupported.Contains(offlineAccess))
Copy link
Copy Markdown
Contributor

@stephentoub stephentoub Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (authServerMetadata.ScopesSupported is null || !authServerMetadata.ScopesSupported.Contains(offlineAccess))
if (authServerMetadata.ScopesSupported?.Contains(offlineAccess) is not true)

Copy link
Copy Markdown
Contributor Author

Copilot AI Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Applied in 6a23554.

{
return scope;
Copy link
Copy Markdown
Contributor

@stephentoub stephentoub Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this correct if scope is null?

Copy link
Copy Markdown
Contributor Author

Copilot AI Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes — when the AS doesn't advertise offline_access, we return the scope unchanged regardless of its value (including null). The caller already handles null scope by not adding the scope query parameter at all, which is the correct behavior.

}

if (scope is null)
{
return offlineAccess;
}

// Check if offline_access is already in the scope string (space-separated tokens).
foreach (var token in scope.Split(' '))
{
if (token == offlineAccess)
{
return scope;
}
}

return scope + " " + offlineAccess;
}

/// <summary>
/// Verifies that the resource URI in the metadata exactly matches the original request URL as required by the RFC.
/// Per RFC: The resource value must be identical to the URL that the client used to make the request to the resource server.
Expand Down
104 changes: 104 additions & 0 deletions tests/ModelContextProtocol.AspNetCore.Tests/OAuth/AuthTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1261,4 +1261,108 @@ public async Task CanAuthenticate_WithLegacyServerUsingDefaultEndpointFallback()
await using var client = await McpClient.CreateAsync(
transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken);
}

[Fact]
public async Task AuthorizationFlow_AppendsOfflineAccess_WhenServerAdvertisesIt()
{
TestOAuthServer.IncludeOfflineAccessInMetadata = true;
await using var app = await StartMcpServerAsync();

string? requestedScope = null;

await using var transport = new HttpClientTransport(new()
{
Endpoint = new(McpServerUrl),
OAuth = new()
{
ClientId = "demo-client",
ClientSecret = "demo-secret",
RedirectUri = new Uri("http://localhost:1179/callback"),
AuthorizationRedirectDelegate = (uri, redirect, ct) =>
{
var query = QueryHelpers.ParseQuery(uri.Query);
requestedScope = query["scope"].ToString();
return HandleAuthorizationUrlAsync(uri, redirect, ct);
},
},
}, HttpClient, LoggerFactory);

await using var client = await McpClient.CreateAsync(
transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken);

Assert.NotNull(requestedScope);
Assert.Contains("offline_access", requestedScope!.Split(' '));
}

[Fact]
public async Task AuthorizationFlow_DoesNotAppendOfflineAccess_WhenServerDoesNotAdvertiseIt()
{
// IncludeOfflineAccessInMetadata defaults to false, so the AS will not advertise offline_access.
await using var app = await StartMcpServerAsync();

string? requestedScope = null;

await using var transport = new HttpClientTransport(new()
{
Endpoint = new(McpServerUrl),
OAuth = new()
{
ClientId = "demo-client",
ClientSecret = "demo-secret",
RedirectUri = new Uri("http://localhost:1179/callback"),
AuthorizationRedirectDelegate = (uri, redirect, ct) =>
{
var query = QueryHelpers.ParseQuery(uri.Query);
requestedScope = query["scope"].ToString();
return HandleAuthorizationUrlAsync(uri, redirect, ct);
},
},
}, HttpClient, LoggerFactory);

await using var client = await McpClient.CreateAsync(
transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken);

Assert.NotNull(requestedScope);
Assert.DoesNotContain("offline_access", requestedScope!.Split(' '));
}

[Fact]
public async Task AuthorizationFlow_DoesNotDuplicateOfflineAccess_WhenAlreadyPresent()
{
TestOAuthServer.IncludeOfflineAccessInMetadata = true;

// Configure the PRM to already include offline_access in its scopes.
Builder.Services.Configure<McpAuthenticationOptions>(McpAuthenticationDefaults.AuthenticationScheme, options =>
{
options.ResourceMetadata!.ScopesSupported = ["mcp:tools", "offline_access"];
});

await using var app = await StartMcpServerAsync();

string? requestedScope = null;

await using var transport = new HttpClientTransport(new()
{
Endpoint = new(McpServerUrl),
OAuth = new()
{
ClientId = "demo-client",
ClientSecret = "demo-secret",
RedirectUri = new Uri("http://localhost:1179/callback"),
AuthorizationRedirectDelegate = (uri, redirect, ct) =>
{
var query = QueryHelpers.ParseQuery(uri.Query);
requestedScope = query["scope"].ToString();
return HandleAuthorizationUrlAsync(uri, redirect, ct);
},
},
}, HttpClient, LoggerFactory);

await using var client = await McpClient.CreateAsync(
transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken);

Assert.NotNull(requestedScope);
var scopeTokens = requestedScope!.Split(' ');
Assert.Single(scopeTokens, t => t == "offline_access");
}
}
14 changes: 13 additions & 1 deletion tests/ModelContextProtocol.TestOAuthServer/Program.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,16 @@ public Program(ILoggerProvider? loggerProvider = null, IConnectionListenerFactor
/// </remarks>
public bool ExpectResource { get; set; } = true;

/// <summary>
/// Gets or sets a value indicating whether the authorization server advertises support for
/// <c>offline_access</c> in its <c>scopes_supported</c> metadata. This simulates an OIDC-flavored
/// authorization server that issues refresh tokens when the client requests the <c>offline_access</c> scope.
/// </summary>
/// <remarks>
/// The default value is <c>false</c>.
/// </remarks>
public bool IncludeOfflineAccessInMetadata { get; set; }

public HashSet<string> DisabledMetadataPaths { get; } = new(StringComparer.OrdinalIgnoreCase);
public IReadOnlyCollection<string> MetadataRequests => _metadataRequests.ToArray();

Expand Down Expand Up @@ -188,7 +198,9 @@ IResult HandleMetadataRequest(HttpContext context, string? issuerPath = null)
ResponseTypesSupported = ["code"],
SubjectTypesSupported = ["public"],
IdTokenSigningAlgValuesSupported = ["RS256"],
ScopesSupported = ["openid", "profile", "email", "mcp:tools"],
ScopesSupported = IncludeOfflineAccessInMetadata
? ["openid", "profile", "email", "mcp:tools", "offline_access"]
: ["openid", "profile", "email", "mcp:tools"],
TokenEndpointAuthMethodsSupported = ["client_secret_post"],
ClaimsSupported = ["sub", "iss", "name", "email", "aud"],
CodeChallengeMethodsSupported = ["S256"],
Expand Down
Loading