[go: up one dir, main page]
Skip to content

Use mcp as default scope in OAuth2 dynamic client registration

The GitLab MCP server currently relies on the client to provide the mcp scope. This can easily be done explicitly with mcp-remote when using stdio transport with most agents. We also document it like this, e.g.:

{
  "mcpServers": {
    "GitLab": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://<gitlab.example.com>/api/v4/mcp",
        "--static-oauth-client-metadata",
        "{\"scope\": \"mcp\"}"
      ]
    }
  }
}

It would be great if we wouldn't rely on npx and mcp-remote and use HTTP streaming directly. This doesn't work for lots of tools because of the missing support providing static OAuth2 client registration scopes.

However, the GitLab OAuth2 dynamic client registration "server" could assume a default set of scopes if no scopes are provided like specified in RFC 7591:

scope
    String containing a space-separated list of scope values (as
    described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client
    can use when requesting access tokens. The semantics of values in
    this list are service specific. If omitted, an authorization
    server MAY register a client with a default set of scopes.

If we'd support this default scopes, we can configure the GitLab MCP server in e.g. Claude Code like this:

{
  "mcpServers": {
    "GitLab": {
      "type": "http",
      "url": "https://<gitlab.example.com>/api/v4/mcp"
    }
  }
}

Which:

  • simplifies config
  • uses HTTP streaming
  • doesn't rely on npx
  • doesn't rely on mcp-remote
Edited by 🤖 GitLab Bot 🤖