So you've got your corporate IdP (Keycloak, Auth0, Okta, Azure AD, whatever) and now you want your MCP servers to use it for auth. You point Claude Code or Cursor at it, aaand... things break. Scope explosions on the consent screen, missing PKCE defaults, clients demanding Dynamic Client Registration your IdP doesn't serve the way MCP expects. Sound familiar? The problem The MCP Authorization spec expects certain OAuth behaviors that most enterprise IdPs don't provide out of the box: MCP clients expect open Dynamic Client Registration. Most IdPs either don't expose it or lock it behind admin credentials. MCP clients tend to request all announced scopes. This isn't required by the spec -- it's just how most clients (Claude Code, Cursor, others) behave in practice. They read scopes_supported from discovery and request all of them . Your Keycloak announces 15 internal scopes?…