From 1563917b6b31346d03cfa4abe6696479c137d926 Mon Sep 17 00:00:00 2001
From: Xiao Yijun <xiaoyijun@silverhand.io>
Date: Thu, 10 Jul 2025 11:43:24 +0800
Subject: [PATCH] fix: use `scopes_supported` in OAuth server metadata

---
 mcpauth/config.py                       | 7 ++++++-
 tests/utils/fetch_server_config_test.py | 4 ++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/mcpauth/config.py b/mcpauth/config.py
index b42b019..e6714a4 100644
--- a/mcpauth/config.py
+++ b/mcpauth/config.py
@@ -138,7 +138,12 @@ class AuthorizationServerMetadata(BaseModel):
     [[RFC7591](https://www.rfc-editor.org/rfc/rfc7591)].
     """
 
-    scope_supported: Optional[List[str]] = None
+    scopes_supported: Optional[List[str]] = None
+    """
+    JSON array containing a list of the OAuth 2.0 `scope` values that this authorization
+    server supports.
+    [[RFC8414](https://datatracker.ietf.org/doc/html/rfc8414#section-2)]
+    """
 
     response_types_supported: List[str]
     """
diff --git a/tests/utils/fetch_server_config_test.py b/tests/utils/fetch_server_config_test.py
index ccf4de2..f25276b 100644
--- a/tests/utils/fetch_server_config_test.py
+++ b/tests/utils/fetch_server_config_test.py
@@ -65,6 +65,7 @@ def test_fetch_server_config_by_well_known_url_success_with_transpile(self):
             "issuer": sample_issuer,
             "authorization_endpoint": "https://example.com/oauth/authorize",
             "token_endpoint": "https://example.com/oauth/token",
+            "scopes_supported": ["scope1", "scope2", "scope3"],
         }
 
         responses.add(responses.GET, url=sample_well_known_url, json=sample_response)
@@ -83,6 +84,7 @@ def test_fetch_server_config_by_well_known_url_success_with_transpile(self):
         )
         assert config.metadata.token_endpoint == "https://example.com/oauth/token"
         assert config.metadata.response_types_supported == ["code"]
+        assert config.metadata.scopes_supported == ["scope1", "scope2", "scope3"]
 
     @responses.activate
     def test_fetch_server_config_oauth_success(self):
@@ -144,6 +146,7 @@ def test_fetch_server_config_oidc_success(self):
             "authorization_endpoint": "https://example.com/authorize",
             "token_endpoint": "https://example.com/token",
             "response_types_supported": ["code"],
+            "scopes_supported": ["openid", "profile", "email"],
         }
 
         responses.add(
@@ -159,6 +162,7 @@ def test_fetch_server_config_oidc_success(self):
         assert config.metadata.authorization_endpoint == "https://example.com/authorize"
         assert config.metadata.token_endpoint == "https://example.com/token"
         assert config.metadata.response_types_supported == ["code"]
+        assert config.metadata.scopes_supported == ["openid", "profile", "email"]
 
     @responses.activate
     def test_fetch_server_config_oidc_with_path_success(self):