Pass OAuth scopes_supported through to PKCE middleware (v0.6.12)

rustyconover · claude · rustyconover · commit 596e2aacc2a4 · 2026-04-10T18:42:16.000-04:00
Use the resource metadata's advertised scopes when initializing the
OAuth PKCE middleware so authorization requests match what the server
publishes, falling back to "openid email" when scopes are unset.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "vgi-rpc"
-version = "0.6.11"
+version = "0.6.12"
 description = "Vector Gateway Interface - RPC framework based on Apache Arrow"
 readme = "README.md"
 requires-python = ">=3.13"
diff --git a/vgi_rpc/http/_server.py b/vgi_rpc/http/_server.py
@@ -2234,6 +2234,11 @@ def make_wsgi_app(
         _pkce_client_id: str = _validated_oauth_metadata.client_id
         _pkce_client_secret = _validated_oauth_metadata.client_secret
         _pkce_use_id_token = _validated_oauth_metadata.use_id_token_as_bearer
+        _pkce_scope = (
+            " ".join(_validated_oauth_metadata.scopes_supported)
+            if _validated_oauth_metadata.scopes_supported
+            else "openid email"
+        )
         _exempt_prefixes = (f"{prefix}/_oauth/",)
         _pkce_active = True
         _pkce_user_info_html = build_user_info_html(prefix)
@@ -2263,6 +2268,7 @@ def make_wsgi_app(
                     prefix=prefix,
                     secure_cookie=_pkce_secure,
                     redirect_uri=_pkce_redirect_uri,
+                    scope=_pkce_scope,
                 )
             )
     if capability_headers:
