Description
OpenCode appears to ignore oauth.scope for remote MCP servers that use a pre-registered OAuth client.
With a remote MCP config that includes both oauth.clientId and oauth.scope, running opencode mcp auth <name> generates an OAuth authorization URL that does not include a scope parameter.
At runtime, the client clearly reads oauth.clientId because it behaves as if dynamic registration is skipped, but oauth.scope is not propagated into the authorization request.
This causes standards-compliant OAuth providers to reject the flow because the request is missing the required scope.
Expected behavior:
OpenCode should include the configured oauth.scope in the generated authorization URL and use it consistently throughout the OAuth flow for pre-registered remote MCP servers.
Additional note:
Manual token injection into the local OpenCode MCP auth cache allows the MCP server to work afterward, which suggests the failure is in OpenCode's OAuth flow rather than in general MCP connectivity.
Plugins
No response
OpenCode version
No response
Steps to reproduce
- Configure any OAuth-protected remote MCP server with:
type: "remote"url: "<oauth-protected-mcp-endpoint>"oauth.clientIdoauth.scope
- Run
opencode mcp auth <name>
- Inspect the generated authorization URL or runtime logs
- Observe that the URL includes parameters such as
response_type, client_id, code_challenge, redirect_uri, and state, but does not include scope
- Complete the provider login and observe that the OAuth provider rejects the flow because
scope is missing
Screenshot and/or share link
No response
Operating System
Linux
Terminal
Alacritty
Description
OpenCode appears to ignore
oauth.scopefor remote MCP servers that use a pre-registered OAuth client.With a remote MCP config that includes both
oauth.clientIdandoauth.scope, runningopencode mcp auth <name>generates an OAuth authorization URL that does not include ascopeparameter.At runtime, the client clearly reads
oauth.clientIdbecause it behaves as if dynamic registration is skipped, butoauth.scopeis not propagated into the authorization request.This causes standards-compliant OAuth providers to reject the flow because the request is missing the required
scope.Expected behavior:
OpenCode should include the configured
oauth.scopein the generated authorization URL and use it consistently throughout the OAuth flow for pre-registered remote MCP servers.Additional note:
Manual token injection into the local OpenCode MCP auth cache allows the MCP server to work afterward, which suggests the failure is in OpenCode's OAuth flow rather than in general MCP connectivity.
Plugins
No response
OpenCode version
No response
Steps to reproduce
type: "remote"url: "<oauth-protected-mcp-endpoint>"oauth.clientIdoauth.scopeopencode mcp auth <name>response_type,client_id,code_challenge,redirect_uri, andstate, but does not includescopescopeis missingScreenshot and/or share link
No response
Operating System
Linux
Terminal
Alacritty