Skip to content

Implementation of SEP835 : Scope parameter parsing from WWW-Authenticate headers #595

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
fizy069 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Implementation of SEP835 : Scope parameter parsing from WWW-Authenticate headers #595

fizy069 wants to merge 2 commits into from
+503 −6

Conversation

@fizy069
Copy link

@fizy069 fizy069 commented Dec 19, 2025
edited
Loading

Implement SEP-835 Enhanced Authorization Flows

Motivation and Context

This PR implements SEP-835 Enhanced Authorization Flows support in the Rust SDK, tracking issue #515.

Features added :

  • Scope parameter extraction from WWW-Authenticate headers
  • 403 insufficient_scope error handling with scope information
  • Runtime scope upgrade flow for progressive authorization
  • Priority-based scope selection strategy

How Has This Been Tested?

  • 24 auth module unit tests (11 new tests for scope functionality)
  • Tests cover scope union computation, retry limits, config defaults, and header parsing
  • Existing tests pass

Breaking Changes

None. Couple of warnings due to an older function being deprecated.

Types of changes

  • New feature (non-breaking change which adds functionality)

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

@fizy069
Add WWW-Authenticate scope extraction and 403 handling
2c60c65 
Implements scope parameter parsing from WWW-Authenticate headers and
403 insufficient_scope error handling per SEP-835.
@github-actions github-actions bot added T-core Core library changes T-transport Transport layer changes labels Dec 19, 2025
@fizy069 fizy069 marked this pull request as draft December 19, 2025 19:31
@fizy069 fizy069 marked this pull request as ready for review December 19, 2025 19:55
@fizy069
feat(auth): implement SEP-835 runtime scope upgrade flow
2d4310b 
- Add ScopeUpgradeConfig for configurable retry limits
- Track granted scopes in StoredCredentials and AuthorizationManager
- Implement scope union computation for progressive authorization
- Add request_scope_upgrade() for 403 insufficient_scope handling
- Add select_scopes() with WWW-Authenticate priority per SEP-835
- Export new types: ScopeUpgradeConfig, WWWAuthenticateParams, AuthClient
@fizy069 fizy069 mentioned this pull request Dec 20, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

T-core Core library changes T-transport Transport layer changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fizy069