05. Scopes/02. Validate Sufficient Scope (πŸ’ͺ problem)

Validate Sufficient Scope

πŸ‘¨β€πŸ’Ό Some users are authenticating with no scopes which results in having a valid token, but not enough permissions to actually do anything useful with the MCP server. It would be better if we could let them know up front that they don't have enough permissions and need a new token with the appropriate scopes.
To do this, you return a 403 Forbidden response with the appropriate WWW-Authenticate header:
// A music streaming app might check scopes like this
const requiredScopes = ['music:read', 'playlists:write']
const userScopes = ['music:read'] // User only has read access

const hasRequiredScopes = requiredScopes.every((scope) =>
	userScopes.includes(scope),
)

if (!hasRequiredScopes) {
	return new Response('Forbidden', {
		status: 403,
		headers: {
			'WWW-Authenticate': [
				`Bearer realm="MusicApp"`,
				`error="insufficient_scope"`,
				`scopes="${requiredScopes.join(' ')}"`,
			].join(', '),
		},
	})
}
The WWW-Authenticate header includes:
  • The realm (MusicApp)
  • The error type (insufficient_scope)
  • The required scopes (music:read playlists:write)
However, the scopes auth param is tricky for us because there's actually a list of valid scope combinations that are allowed. The user could have one of several scopes that would be enough to use the MCP server. There's not an established pattern for handling this case, so we'll skip the scopes auth param and instead include a error_description that explains what scope combinations are valid.
Auth_ServerMCP_ServerClientAuth_ServerMCP_ServerClientalt[Has sufficient scope][Insufficient scope]Request with valid tokenIntrospect tokenToken info + scopesCheck hasSufficientScope()Success - MCP server access granted403 Forbidden with scope requirements
πŸ“œ For more details on OAuth scope validation and error handling, see the OAuth 2.0 Authorization Framework RFC and OAuth 2.0 Bearer Token Usage RFC.
πŸ§β€β™€οΈ I created a minimalValidScopeCombinations array and a hasSufficientScope function for you to use. It's just hard to describe what you should do, but simple once you see it. Feel free to check out my changes if you want.
Now, let's implement the scope validation logic to ensure only properly authorized clients can access the EpicMe MCP server!
Edit
problemsolutiondiffchat

Please set the playground first

Loading "Validate Sufficient Scope"
Loading "Validate Sufficient Scope"
Login to get access to the exclusive discord channel.
  • ⚑General
    Epic MCP server not initializing
    steve ⚑:
    I am attempting to configure the Epic MCP Server per Kent's instructions here: https://www.epicai.pr...
    • βœ…2
     3 Β· 10 hours ago
  • ⚑General
    What will tomorrows MCP hosts look like?
    Paul πŸš€:
    Hi Kent,

Thanks for putting together the course, I’m really enjoying it. Im interested if you have...
    • βœ…1
     2 Β· 2 days ago
  • ⚑General
    VS Code Copilot and Epic Workshop MCP Server
    Alexandre πŸš€:
    I might have missed something, but how do we install the Epic Workshop MCP Server so we can ask Copi...
    • βœ…1
     3 Β· 3 days ago
  • 🐣MCP Fundamentals
    πŸ’ͺAdv. MCP Features
    πŸ”MCP Auth
    πŸ’»MCP UI
    What about the usage of MCP Servers for some kind of chat interacting with a local LLM?
    frankfullstack ⚑:
    I would like to raise a general question about the usage of MCP Servers and how we could interact fr...
    • βœ…1
     5 Β· 8 days ago
  • 🐣MCP Fundamentals
    ⚑General
    It'd be really cool to have a basic deployment guide.
    BeyondLimits99 ⚑:
    The course has been amazing so far! I'd love to have a basic deployment guide just so I can practice...
    • βœ…2
     3 Β· 5 days ago
  • ⚑General
    non-related question: how do you rollout updates?
    mark:
    I'm very curious to hear: How do you roll-out new updates? do you use some kind of libary?
    • βœ…1
     5 Β· 10 days ago
  • 🐣MCP Fundamentals
    ⚑General
    How do you teach the LLMs to use ResourceTemplates and ResourceTemplatesList?
    frontendwizard:
    I'm playing around with building an mcp with claude and he has a tendency to go for json for everyth...
    • βœ…1
     8 Β· 8 days ago
  • 🐣MCP Fundamentals
    ⚑General
    MCP to MCP
    Mahendra Hirapra ⚑:
    Does it possible one MCP sever connect to other MCP like chain? I would like to connect Figma MCP Se...
    • βœ…1
     4 Β· 9 days ago
  • 🐣MCP Fundamentals
    ⚑General
    When does an MCP become overkillβ€”that is, when should one avoid building one?
    Lax ⚑:
    Just wondering what scenarios to skip πŸ™‚
    • βœ…1
     2 Β· 9 days ago
  • 🐣MCP Fundamentals
    ⚑General
    πŸ’»MCP UI
    πŸ”MCP Auth
    Are the live sessions, Q&A's or will there be some lectures about concepts around MPC Stack?
    Handax ⚑:
    I’m interested in diving deeper into the Model Contexts Protocol (MCP) and was wondering if there wi...
    • βœ…1
     1 Β· 9 days ago
  • ⚑General
    Lesson lengths
    ffkml ⚑:
    I’m excited for the class to kick off next week. Planning ahead, how long should we plan for lessons...
    • πŸ‘3
    • βœ…1
     1 Β· 14 days ago