Oauth Client not using correct field in Scope Selection Strategy

[medlor]

Description

Hi,

Situation:
Using OIDC Proxy (Dynamic Client Registration of fastMCP server and client. I am running the MCP server unter a subpath (here "/echo_server/mcp").

Scope Selection Strategy is defined in https://modelcontextprotocol.io/specification/draft/basic/authorization#scope-selection-strategy .
It describes:
"Use scope parameter from the initial WWW-Authenticate header in the 401 response, if provided".

But actually the Client uses the "resource_metadata" field instead of the "scope".
Eventually the /echo_server/register endpoint bails out with following error:

POST http://127.0.0.1:8000/echo_server/register status=400 headers={'date': 'Sat, 15 Nov 2025 23:01:30 GMT', 'server': 'uvicorn', 'content-length': '164', 'content-type': 'application/json'} 
body={"error":"invalid_client_metadata","
error_description":"Requested scopes are not valid: http://127.0.0.1:8000/.well-known/oauth-protected-resource/echo_server/mcp"}

2025-11-16 00:01:31,261 ERROR [mcp.client.auth.oauth2] OAuth flow error

Code:

mcp/client/auth/oauth2.py:

async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.Request, httpx.Response]:
....
www_auth_resource_metadata_url = extract_resource_metadata_from_www_auth(response)
....
# Step 3: Apply scope selection strategy
                    self.context.client_metadata.scope = get_client_metadata_scopes(
                        **www_auth_resource_metadata_url**,    # we must pass in a scope and not an url
                        self.context.protected_resource_metadata,
                        self.context.oauth_metadata,
                    )

Example Code

Version Information

none

[jlowin]

This is fixed in modelcontextprotocol/python-sdk#1631 and will be resolved in the next MCP SDK release. In the meantime, FastMCP 2.13.1 excludes SDK 1.21.1 (which includes the bug). Thanks for reporting!