Hi, I noticed when trying to test our MCP implementation with ChatGPT apps, wrong scopes are being requested during the OAuth process.
We support everything defined in the MCP specification, and everything works in the MCP inspector as well as other MCP clients. I’m interested in your process of reading scopes. I noticed in our logs that you are requesting “/.well-known/oauth-protected-resource”. Here we return the response in the following format as defined by the specification:
{
"resource": "https://mcp.company.com/service",
"resource_name": "Company MCP server",
"authorization_servers": [
"https://server/realms/company"
],
"bearer_methods_supported": [
"access_token"
],
"scopes_supported": [
"scope1",
"scope2"
]
}
But instead of requesting “scope1“ and “scope2“, ChatGPT always requests the following (we are providing this requested scopes by default, but “scope1” and “scope2” should still be here):
We also define the scopes inside the 401 WWW-Authenticate header.
I’m wondering if ChatGPT’s MCP client uses a different field to read supported scopes or if there’s some other detail that we are missing?