Issue Station
Sign In
Tools hereToolbox

codex - 💡(How to fix) Fix MCP OAuth login does not include scopes during dynamic client registration [1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openai/codex#20503Fetched 2026-05-01 05:42:25
View on GitHub
Comments
0
Participants
1
Timeline
4
Reactions
0
Author
yqiangyqiang
Participants
yqiangyqiang
Timeline (top)
labeled ×4

codex mcp login --scopes ... does not appear to include the requested scopes in the OAuth dynamic client registration request. This prevents login to Fastmail's remote MCP server, because Fastmail requires a scope value during registration.

Error Message

Error: Registration failed: Dynamic registration failed: Registration failed: HTTP 400 Bad Request: {"error_description":"invalid_request no scope","error":"invalid_request"}

Root Cause

codex mcp login --scopes ... does not appear to include the requested scopes in the OAuth dynamic client registration request. This prevents login to Fastmail's remote MCP server, because Fastmail requires a scope value during registration.

Code Example

codex mcp add fastmail --url https://api.fastmail.com/mcp
codex mcp login fastmail --scopes https://www.fastmail.com/dev/mcp,offline_access

---

codex mcp login --scopes https://www.fastmail.com/dev/mcp,offline_access fastmail

---

codex mcp login fastmail \
  -c 'mcp_servers.fastmail.scopes=["https://www.fastmail.com/dev/mcp","offline_access"]' \
  -c 'mcp_servers.fastmail.oauth_resource="https://api.fastmail.com/mcp"'

---

Error: Registration failed: Dynamic registration failed: Registration failed: HTTP 400 Bad Request: {"error_description":"invalid_request no scope","error":"invalid_request"}

---

{
  "scope": "https://www.fastmail.com/dev/mcp offline_access"
}

---

{
  "resource": "https://api.fastmail.com/mcp",
  "authorization_servers": ["https://api.fastmail.com"],
  "scopes_supported": [
    "https://www.fastmail.com/dev/mcp",
    "offline_access"
  ]
}

---

{
  "registration_endpoint": "https://api.fastmail.com/oauth/register",
  "authorization_endpoint": "https://api.fastmail.com/oauth/authorize",
  "token_endpoint": "https://api.fastmail.com/oauth/refresh",
  "scopes_supported": [
    "urn:ietf:params:oauth:scope:mail",
    "urn:ietf:params:oauth:scope:contacts",
    "urn:ietf:params:oauth:scope:calendars",
    "https://www.fastmail.com/dev/mcp",
    "offline_access"
  ],
  "token_endpoint_auth_methods_supported": ["none"],
  "code_challenge_methods_supported": ["S256"]
}
RAW_BUFFERClick to expand / collapse

Summary

codex mcp login --scopes ... does not appear to include the requested scopes in the OAuth dynamic client registration request. This prevents login to Fastmail's remote MCP server, because Fastmail requires a scope value during registration.

Environment

  • codex-cli 0.128.0
  • macOS 26.4.1
  • Remote MCP server: https://api.fastmail.com/mcp

Reproduction

codex mcp add fastmail --url https://api.fastmail.com/mcp
codex mcp login fastmail --scopes https://www.fastmail.com/dev/mcp,offline_access

The same failure occurs if the scopes are passed before the server name:

codex mcp login --scopes https://www.fastmail.com/dev/mcp,offline_access fastmail

The same failure also occurs when setting scopes via config override:

codex mcp login fastmail \
  -c 'mcp_servers.fastmail.scopes=["https://www.fastmail.com/dev/mcp","offline_access"]' \
  -c 'mcp_servers.fastmail.oauth_resource="https://api.fastmail.com/mcp"'

Actual Behavior

Error: Registration failed: Dynamic registration failed: Registration failed: HTTP 400 Bad Request: {"error_description":"invalid_request no scope","error":"invalid_request"}

Expected Behavior

The dynamic client registration request to https://api.fastmail.com/oauth/register should include the requested scopes, probably as a space-delimited scope string:

{
  "scope": "https://www.fastmail.com/dev/mcp offline_access"
}

Validation

Fastmail's MCP protected-resource metadata advertises these scopes:

{
  "resource": "https://api.fastmail.com/mcp",
  "authorization_servers": ["https://api.fastmail.com"],
  "scopes_supported": [
    "https://www.fastmail.com/dev/mcp",
    "offline_access"
  ]
}

Fastmail's OAuth authorization-server metadata also advertises both scopes and supports dynamic registration:

{
  "registration_endpoint": "https://api.fastmail.com/oauth/register",
  "authorization_endpoint": "https://api.fastmail.com/oauth/authorize",
  "token_endpoint": "https://api.fastmail.com/oauth/refresh",
  "scopes_supported": [
    "urn:ietf:params:oauth:scope:mail",
    "urn:ietf:params:oauth:scope:contacts",
    "urn:ietf:params:oauth:scope:calendars",
    "https://www.fastmail.com/dev/mcp",
    "offline_access"
  ],
  "token_endpoint_auth_methods_supported": ["none"],
  "code_challenge_methods_supported": ["S256"]
}

I manually tested Fastmail dynamic client registration with an explicit scope field, and Fastmail returned HTTP 201, so the scope values themselves are accepted. The issue seems to be that Codex's --scopes are not sent during the dynamic client registration step.

extent analysis

TL;DR

The codex mcp login command is not including the requested scopes in the OAuth dynamic client registration request, causing a registration failure.

Guidance

  • Verify that the --scopes flag is correctly formatted and supported by the codex mcp login command.
  • Check the Codex documentation to see if there are any known issues or limitations with scope handling in dynamic client registration.
  • Test the registration request manually using a tool like curl to confirm that the issue is specific to the codex mcp login command.
  • Consider filing an issue with the Codex project to report the problem and request assistance with scope handling.

Example

No code snippet is provided as the issue seems to be related to the codex mcp login command's handling of scopes, rather than a code-specific problem.

Notes

The issue appears to be specific to the codex mcp login command and its handling of scopes during dynamic client registration. The Fastmail API and OAuth authorization server seem to be configured correctly, as manual testing with an explicit scope field returns a successful response.

Recommendation

Apply workaround: Manually test and verify the registration request using a tool like curl to ensure that the scope values are correctly formatted and accepted by the Fastmail API. If the issue persists, consider filing an issue with the Codex project to request assistance with scope handling.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#conversation history#tool integration#LLM response#prompt template

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

codex - 💡(How to fix) Fix MCP OAuth login does not include scopes during dynamic client registration [1 participants]