Issue Station
Sign In
Tools hereToolbox

dify - ✅(Solved) Fix [Feature Request] Support custom scope input for MCP OAuth (Client Credentials) / Deadlock with strict IdPs like AWS Cognito [1 pull requests, 1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
langgenius/dify#34964Fetched 2026-04-12 13:38:06
View on GitHub
Comments
0
Participants
1
Timeline
1
Reactions
1
Author
kazuu-bpkazuu-bp
Participants
kazuu-bpkazuu-bp
Timeline (top)
cross-referenced ×1

Error Message

  1. If Cognito is set to allow Authorization Code ONLY: Dify gets an invalid_grant error because it tries to use Client Credentials for the initial background connection.
  2. If Cognito is set to allow Client Credentials: Cognito strictly requires a "Custom Scope" to be specified for Client Credentials flows. Since Dify currently does not have a UI field to specify a "Scope" for the Client Credentials flow, the request is rejected by Cognito with an invalid_scope error.
  3. See the error:
  • In Scenario A: Client credentials flow failed: HTTP 400 {"error":"invalid_grant"}
  • In Scenario B: Client credentials flow failed: HTTP 400 {"error":"invalid_scope"}

Root Cause

  1. If Cognito is set to allow Authorization Code ONLY: Dify gets an invalid_grant error because it tries to use Client Credentials for the initial background connection.
  2. If Cognito is set to allow Client Credentials: Cognito strictly requires a "Custom Scope" to be specified for Client Credentials flows. Since Dify currently does not have a UI field to specify a "Scope" for the Client Credentials flow, the request is rejected by Cognito with an invalid_scope error.

Fix Action

Fix / Workaround

Any advice or workarounds would be greatly appreciated!

PR fix notes

PR #34995: feat: support oauth scope param

Description (problem / solution / changelog)

[!IMPORTANT]

  1. Make sure you have read our contribution guidelines
  2. Ensure there is an associated issue and you have been assigned to it
  3. Use the correct syntax to link this PR: Fixes #<issue number>.

fix #34964

Summary

support oauth scope param in mcp oauth config page

<!-- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change. --> <!-- If this PR was created by an automated agent, add `From <Tool Name>` as the final line of the description. Example: `From Codex`. -->

Screenshots

BeforeAfter
......

Checklist

  • This change requires a documentation update, included: Dify Document
  • I understand that this PR may be closed in case there was no previous discussion or issues. (This doesn't apply to typos!)
  • I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
  • I've updated the documentation accordingly.
  • I ran make lint and make type-check (backend) and cd web && pnpm exec vp staged (frontend) to appease the lint gods

Changed files

  • api/core/entities/mcp_provider.py (modified, +5/-0)
  • api/services/tools/mcp_tools_manage_service.py (modified, +19/-5)
  • api/tests/unit_tests/core/entities/test_entities_mcp_provider.py (modified, +50/-0)
  • api/tests/unit_tests/services/tools/test_mcp_build_credentials.py (added, +117/-0)
  • web/app/components/app/app-access-control/__tests__/access-control-dialog.spec.tsx (modified, +0/-1)
  • web/app/components/app/app-access-control/__tests__/index.spec.tsx (modified, +0/-1)
  • web/app/components/base/app-icon-picker/ImageInput.tsx (modified, +1/-1)
  • web/app/components/base/image-uploader/image-list.tsx (modified, +0/-1)
  • web/app/components/base/markdown-blocks/__tests__/plugin-paragraph.spec.tsx (modified, +0/-1)
  • web/app/components/tools/mcp/hooks/use-mcp-modal-form.ts (modified, +5/-0)
  • web/app/components/tools/mcp/modal.tsx (modified, +5/-1)
  • web/app/components/tools/mcp/sections/__tests__/authentication-section.spec.tsx (modified, +37/-4)
  • web/app/components/tools/mcp/sections/authentication-section.tsx (modified, +16/-0)
  • web/app/components/tools/types.ts (modified, +1/-0)
  • web/i18n/en-US/tools.json (modified, +2/-0)
  • web/i18n/zh-Hans/tools.json (modified, +2/-0)
RAW_BUFFERClick to expand / collapse

Self Checks

  • I have read the Contributing Guide and Language Policy.
  • I have searched for existing issues search for existing issues, including closed ones.
  • I confirm that I am using English to submit this report, otherwise it will be closed.
  • Please do not modify this template :) and fill in all the required fields.

1. Is this request related to a challenge you're experiencing? Tell me about your story.

1. Description

I am trying to connect an MCP server (AWS Bedrock AgentCore Gateway) to Dify using OAuth 2.0, with AWS Cognito acting as the Identity Provider (IdP). However, I have encountered a "deadlock" situation due to the current behavior of Dify's MCP server registration process and Cognito's strict security policies.

Currently, when adding an MCP server, Dify seems to force the Client Credentials flow during the initial discovery phase (to fetch the tool list) before any user interaction. This causes the following issues:

  1. If Cognito is set to allow Authorization Code ONLY: Dify gets an invalid_grant error because it tries to use Client Credentials for the initial background connection.
  2. If Cognito is set to allow Client Credentials: Cognito strictly requires a "Custom Scope" to be specified for Client Credentials flows. Since Dify currently does not have a UI field to specify a "Scope" for the Client Credentials flow, the request is rejected by Cognito with an invalid_scope error.

2. Steps to Reproduce

  1. Set up an MCP server (e.g., AWS Bedrock AgentCore Gateway).
  2. Set up AWS Cognito as the IdP.
    • Scenario A: Allow only Authorization Code.
    • Scenario B: Allow Client Credentials and set up a mandatory Custom Scope (e.g., gateway:invoke).
  3. In Dify, go to Add MCP Server.
  4. Input Auth URL, Client ID and Secret.
  5. Click "Save".
  6. See the error:
    • In Scenario A: Client credentials flow failed: HTTP 400 {"error":"invalid_grant"}
    • In Scenario B: Client credentials flow failed: HTTP 400 {"error":"invalid_scope"}

3. Expected Behavior

To resolve this deadlock, it would be highly appreciated if Dify could support either of the following:

  • Solution 1 (Ideal): Add an input field for "Scope" in the MCP OAuth configuration UI so that users can pass custom scopes during the Client Credentials flow.
  • Solution 2: Allow users to choose whether to use Authorization Code or Client Credentials for the initial server registration (Discovery) phase, or bypass the discovery auth if Authorization Code is selected.

4. Environment

  • Deployment: Dify Cloud (2026.04.11)

5. Context

Using AWS Cognito + AgentCore Gateway is becoming a standard enterprise architecture. Supporting custom scopes for background auth will significantly enhance Dify's capability to integrate with enterprise-grade secure backends.

Any advice or workarounds would be greatly appreciated!

2. Additional context or comments

No response

3. Can you help us with this feature?

  • I am interested in contributing to this feature.

extent analysis

TL;DR

To resolve the deadlock, Dify could support adding an input field for "Scope" in the MCP OAuth configuration UI or allow users to choose the authentication flow for the initial server registration.

Guidance

  • Consider modifying the Dify MCP server registration process to support custom scopes for Client Credentials flows by adding a "Scope" input field in the UI.
  • Alternatively, allow users to select the authentication flow (Authorization Code or Client Credentials) for the initial server registration or bypass discovery auth if Authorization Code is chosen.
  • Verify the fix by testing both scenarios (allowing only Authorization Code and allowing Client Credentials with a custom scope) and ensuring that the invalid_grant and invalid_scope errors are resolved.
  • If contributing to the feature, review the Dify Cloud deployment (2026.04.11) and AWS Cognito documentation to ensure compatibility and adherence to security policies.

Notes

The provided solutions (adding a "Scope" input field or allowing users to choose the authentication flow) are based on the described behavior and errors. However, the actual implementation may require additional considerations, such as handling different authentication flows and scopes.

Recommendation

Apply a workaround by modifying the Dify MCP server registration process to support custom scopes or allow users to choose the authentication flow, as this would resolve the deadlock situation and enhance Dify's capability to integrate with enterprise-grade secure backends.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#retriever error#indexing error#inference speed#output truncation#response parsing

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

dify - ✅(Solved) Fix [Feature Request] Support custom scope input for MCP OAuth (Client Credentials) / Deadlock with strict IdPs like AWS Cognito [1 pull requests, 1 participants]