Hi all,
Graham - first of all, sincerest apologies for the delayed response here. For some reason this particular Forum thread wasn’t picked up by the support software we use to centralize our support workflows. We’re investigating this to ensure it doesn’t happen again.
Scope negotiation with MCP servers varies right now depending on the client - some request the scopes they need when they navigate to the Authorization URL, others do not. There is an upcoming MCP spec due in September that should clarify scope negotiation.
In the meantime, we generally recommend setting the scopes directly in the URL query parameters from where your application hosts the Authorization URL (the <IdentityProvider /> component). This ensures that regardless of the client accessing the Authorization URL , you are setting the scopes that you want to grant.
Happy to answer any other questions about this as well, and apologies again about the delay.
Aymeri - I’ve just responded in your other thread regarding the scope bug with .well-known/oauth-authorization-server !