Skip to content

fix: register both OAuth redirect URIs to avoid DCR conflict#1119

Open
peschee wants to merge 1 commit intomodelcontextprotocol:mainfrom
peschee:fix/oauth-dcr-redirect-uris
Open

fix: register both OAuth redirect URIs to avoid DCR conflict#1119
peschee wants to merge 1 commit intomodelcontextprotocol:mainfrom
peschee:fix/oauth-dcr-redirect-uris

Conversation

@peschee
Copy link

@peschee peschee commented Feb 26, 2026

Summary

  • Bug: When the Auth Debugger performs OAuth Dynamic Client Registration (DCR) first, the client is registered with only the debug redirect URI (/oauth/callback/debug). The normal "Connect" flow then fails because /oauth/callback is not a registered redirect URI.
  • Root cause: redirect_uris getter used this.redirectUrl, which DebugInspectorOAuthClientProvider overrides to return the debug URL. The Set deduplication collapsed both entries into just the debug URI.
  • Fix: Hardcode both redirect URIs in the redirect_uris getter so they are always registered regardless of which subclass is used.

Test plan

  • npm run build-client passes
  • cd client && npm run lint passes
  • Manual test: use Auth Debugger first, then try normal Connect — both should work with the same registered client

@peschee
fix: register both OAuth redirect URIs to avoid DCR conflict between …
b64c619 
…normal and debug flows

The redirect_uris getter used this.redirectUrl, which DebugInspectorOAuthClientProvider
overrides to return the debug URL. This caused Set deduplication to collapse both entries
into just the debug URI, so DCR only registered /oauth/callback/debug. The normal Connect
flow then failed because /oauth/callback was not a registered redirect URI.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@peschee