Skip to content

Implementation of SEP835 : Scope parameter parsing from WWW-Authenticate headers#595

Open
fizy069 wants to merge 4 commits intomodelcontextprotocol:mainfrom
fizy069:authz-updates
Open

Implementation of SEP835 : Scope parameter parsing from WWW-Authenticate headers#595
fizy069 wants to merge 4 commits intomodelcontextprotocol:mainfrom
fizy069:authz-updates

Conversation

@fizy069
Copy link

@fizy069 fizy069 commented Dec 19, 2025
edited
Loading

Implement SEP-835 Enhanced Authorization Flows

Motivation and Context

This PR implements SEP-835 Enhanced Authorization Flows support in the Rust SDK, tracking issue #515.

Features added :

  • Scope parameter extraction from WWW-Authenticate headers
  • 403 insufficient_scope error handling with scope information
  • Runtime scope upgrade flow for progressive authorization
  • Priority-based scope selection strategy

How Has This Been Tested?

  • 24 auth module unit tests (11 new tests for scope functionality)
  • Tests cover scope union computation, retry limits, config defaults, and header parsing
  • Existing tests pass

Breaking Changes

None. Couple of warnings due to an older function being deprecated.

Types of changes

  • New feature (non-breaking change which adds functionality)

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

@fizy069
Add WWW-Authenticate scope extraction and 403 handling
2c60c65 
Implements scope parameter parsing from WWW-Authenticate headers and
403 insufficient_scope error handling per SEP-835.
@github-actions github-actions bot added T-core Core library changes T-transport Transport layer changes labels Dec 19, 2025
@fizy069 fizy069 marked this pull request as draft December 19, 2025 19:31
@fizy069 fizy069 marked this pull request as ready for review December 19, 2025 19:55
@fizy069
feat(auth): implement SEP-835 runtime scope upgrade flow
2d4310b 
- Add ScopeUpgradeConfig for configurable retry limits
- Track granted scopes in StoredCredentials and AuthorizationManager
- Implement scope union computation for progressive authorization
- Add request_scope_upgrade() for 403 insufficient_scope handling
- Add select_scopes() with WWW-Authenticate priority per SEP-835
- Export new types: ScopeUpgradeConfig, WWWAuthenticateParams, AuthClient
@fizy069 fizy069 mentioned this pull request Dec 20, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@scutuatua-crypto scutuatua-crypto scutuatua-crypto approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

T-core Core library changes T-transport Transport layer changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fizy069 @scutuatua-crypto