MCP ChatGPT failing with "Not all requested permissions were granted"

Get Help
,
1

Hi,

I am trying to integrate my own MCP server, build with springboot and spring ai, with Chat GPT.

I am getting a 403 forbidden on the callback and Chat GPT gives the error “Not all requested permissions were granted”.

Looks like GPT is requesting the following scopes in the token:

“scp”: [
“openid”,
“email”,
“profile”,
“offline_access”,
“model.request”,
“model.read”,
“organization.read”,
“organization.write”
],

Many thanks!

2

Hi @beugnier.ronny,

Welcome to the Auth0 Community!

The error “Not all requested permissions were granted” and the “403 Forbidden” on the callback strongly suggest a **mismatch between the custom scopes requested by the ChatGPT application (the client) and the scopes defined and associated with the user in your Auth0 tenant.

The ChatGPT application is expecting specific permissions (model.request, model.read, etc.) to be present in the Access Token, but your Auth0 server isn’t including them.

To resolve this, ensure that the custom scopes are correctly configured in Auth0 and that your MCP server is using the correct Auth0 Audience.

Step 1: Define the API and Custom Scopes

  1. Go to your Auth0 Dashboard > Applications > APIs.
  2. Select or create the API that represents your MCP server (e.g., “My MCP API”).
  3. The Identifier (Audience) for this API must match the Audience value you configured in the Chat GPT OAuth configuration.
  4. Under the Permissions tab of this API, you must explicitly define all the custom scopes ChatGPT is requesting:
  • model.request
  • model.read
  • organization.read
  • organization.write

Step 2: Grant Permissions via an Action

By default, Auth0 does not automatically include custom scopes in the Access Token unless they are associated with the user. You should use a Post Login Action to explicitly grant these permissions based on your application’s logic (e.g., if the user is a member of a particular group).

  1. Go to Auth0 Dashboard > Actions > Flows > Login.
  2. Click + to create or select a Post Login Action.
  3. Add the following code to your Action. This example grants all scopes to the user. You should adapt this logic to fit your actual authorization rules.
/**
 * Handler that will be called during the execution of a PostLogin flow.
 *
 * @param {Event} event - Details about the user and the context of the login.
 * @param {PostLoginAPI} api - Interface to modify the token.
 */
exports.onExecutePostLogin = async (event, api) => {
  // Check if the current token request is for your MCP API
  if (event.request.query.audience === 'YOUR_MCP_API_IDENTIFIER') {
    // Add the scopes to the Access Token
    // IMPORTANT: Only grant scopes the user is authorized for.
    api.accessToken.addScope('model.request');
    api.accessToken.addScope('model.read');
    api.accessToken.addScope('organization.read');
    api.accessToken.addScope('organization.write');
  }

  // Example for adding a claim to the ID Token/User Profile
  // if (event.request.query.scope.includes('profile')) {
  //   api.idToken.setCustomClaim('https://example.com/org_id', event.user.app_metadata.org_id);
  // }
};
  1. Replace YOUR_MCP_API_IDENTIFIER with the Audience from Step 1.
  2. Deploy the Action.

If you have any further questions, please don’t hesitate to reach out.

Have a good one,
Vlad

4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.