MCP OAuth Step-Up Trace Reviewer

Paste a redacted MCP OAuth trace and check whether a client really responded to 403 insufficient_scope with a new authorization attempt, accumulated scopes, and one retry of the original request.

Review order

1
Find the challengeLook for 403, insufficient_scope, and the WWW-Authenticate scope value.
2
Check metadataConfirm protected-resource metadata is present without treating metadata refresh as step-up.
3
Require reauthorizationAfter the challenge, the trace should show authorization or code exchange before retry.

Paste redacted HTTP/OAuth trace

Use redacted logs only. Do not paste keys, cookies, grants, credential values, customer records, private endpoints, private screenshots, payment data, full names, private handles, or full transaction identifiers. This page runs locally in the browser and does not use network requests, browser storage, or a backend.

Ready.

Trace findings

Regression checks to add

When a protected tool returns 403 insufficient_scope, parse the challenge from WWW-Authenticate.
Start a new authorization flow after the 403. A metadata fetch alone is not enough evidence.
Build the elevated scope set as a superset of the previous base scopes plus the challenged operation scope.
Retry the original request once with the elevated grant and preserve a clear failure message if the user declines.
Keep managed connector reconnect UI explicit when the client cannot step up silently.

Check paid report scope Open MCP install triage

Source-backed problem set

Claude Code step-up issue Public issue describing 403 insufficient_scope without browser reauthorization or token exchange. Scope accumulation issue Public SDK issue describing overwrite risk during progressive authorization. Official MCP authorization spec Scope challenge handling and protected resource metadata reference.