Bug Description

This appears to be a follow-up issue after the fix for #29147.

The original MCP OAuth/DCR failure described in #29147 is now fixed for me. n8n no longer fails with:

No supported grant type and authentication method found

With Calendly MCP, n8n now gets further. It appears to successfully perform Dynamic Client Registration and generate the Calendly authorization URL.

However, the generated authorization URL includes:

scope=openid

Calendly MCP then rejects the authorization request with:

The requested scope is invalid, unknown, or malformed.

If I manually remove only this part from the generated authorization URL:

&scope=openid

the Calendly authorization page loads successfully and the OAuth flow can continue.

So the remaining issue appears to be that n8n’s MCP OAuth/DCR flow is defaulting to the OpenID Connect scope “openid”, even though the Calendly MCP server does not support or advertise OpenID Connect.

Calendly MCP appears to reject openid correctly because it is not an advertised or supported scope for the Calendly MCP OAuth flow. The issue is that n8n appears to be adding openid automatically during MCP OAuth/DCR, even though this is not an OIDC flow.

This is now manually workable by deleting &scope=openid from the browser URL, but it will fail for normal users who follow the generated n8n authorization flow.

To Reproduce

1. Create an MCP OAuth2 API credential in n8n.
2. Enable Dynamic Client Registration.
3. Use the Calendly MCP server URL: https://mcp.calendly.com
4. Start the OAuth connection flow.
5. n8n redirects to Calendly with an authorization URL containing scope=openid.
6. Calendly rejects the request with an invalid scope error.
7. Manually remove &scope=openid from the URL.
8. The Calendly authorization page loads successfully.

Expected behavior

When using MCP OAuth/DCR with a provider that does not advertise or support OpenID Connect, n8n should not add:

scope=openid

to the authorization URL by default.

Expected behaviour would likely be one of:

1. omit the scope parameter from the authorization URL when no scope is explicitly configured or required, or
2. use the MCP scopes discovered from the protected resource metadata, rather than defaulting to openid.

For Calendly MCP specifically, the documented MCP scopes are:

mcp:scheduling:read
mcp:scheduling:write

Calendly’s MCP documentation also says DCR clients do not need to include scope/scopes in the registration request, because the MCP scopes are attached server-side.

Debug Info

Debug info

core

• n8nVersion: 2.20.6
• platform: docker (self-hosted)
• nodeJsVersion: 24.14.1
• nodeEnv: production
• database: postgres
• executionMode: scaling (single-main)
• concurrency: -1
• license: enterprise (production)
• consumerId: 95366640-4c74-47f5-ad77-c77209e4c893

storage

• success: all
• error: all
• progress: false
• manual: true
• binaryMode: filesystem

pruning

• enabled: true
• maxAge: 168 hours
• maxCount: 10000 executions

client

• userAgent: mozilla/5.0 (macintosh; intel mac os x 10_15_7) applewebkit/537.36 (khtml, like gecko) chrome/147.0.0.0 safari/537.36
• isTouchDevice: false

cluster

• instanceCount: 2
• versions: 2.20.6
• instances:
  • instanceKey: 4e7212f1-fba4-444e-ae2a-941d630bf8f3, hostId: worker-0b80fb1e2514, instanceType: worker, instanceRole: unset, version: 2.20.6
  • instanceKey: aa0bb16e-394c-4be1-a9f9-86757b7dc3da, hostId: main-826bb648d875, instanceType: main, instanceRole: leader, version: 2.20.6
• checks:
  • check: hostid-clash, status: succeeded, warnings: -
  • check: lifecycle, status: succeeded, warnings: -
  • check: split-brain, status: succeeded, warnings: -
  • check: version-mismatch, status: succeeded, warnings: -

Generated at: 2026-05-09T08:35:00.290Z

Operating System

Ubuntu 24.04.4 LTS

n8n Version

2.20.6

Node.js Version

24.14.1

Database

PostgreSQL

Execution mode

main (default)

Hosting

self hosted