feat: add OAuth proxy support to eliminate CORS issues

Add server-side proxy endpoints for OAuth discovery, client registration,
and token exchange to avoid CORS issues when using proxy connection mode.

Server proxy endpoints:
- GET /oauth/resource-metadata - proxies OAuth protected resource metadata
- GET /oauth/metadata - proxies OAuth authorization server metadata
- POST /oauth/register - proxies dynamic client registration
- POST /oauth/token - proxies token exchange

Client changes:
- Construct correct RFC 9728/8414 path-aware well-known URLs client-side
- Route all OAuth discovery through proxy when in proxy connection mode
- Eliminate direct browser fetches that fail with CORS in proxy mode

Author: asoorm

.github/workflows/main.yml

@@ -15,7 +15,7 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Check formatting
-        run: npx prettier --check .
+        run: npx prettier@3.7.4 --check .
 
       - uses: actions/setup-node@v6
         with:

client/src/App.tsx

@@ -622,9 +622,14 @@ const App = () => {
         };
 
         try {
-          const stateMachine = new OAuthStateMachine(sseUrl, (updates) => {
-            currentState = { ...currentState, ...updates };
-          });
+          const stateMachine = new OAuthStateMachine(
+            sseUrl,
+            (updates) => {
+              currentState = { ...currentState, ...updates };
+            },
+            connectionType,
+            config,
+          );
 
           while (
             currentState.oauthStep !== "complete" &&
@@ -1264,6 +1269,8 @@ const App = () => {
         onBack={() => setIsAuthDebuggerVisible(false)}
         authState={authState}
         updateAuthState={updateAuthState}
+        connectionType={connectionType}
+        config={config}
       />
     </TabsContent>
   );

client/src/components/AuthDebugger.tsx

@@ -7,12 +7,15 @@ import { OAuthFlowProgress } from "./OAuthFlowProgress";
 import { OAuthStateMachine } from "../lib/oauth-state-machine";
 import { SESSION_KEYS } from "../lib/constants";
 import { validateRedirectUrl } from "@/utils/urlValidation";
+import { InspectorConfig } from "../lib/configurationTypes";
 
 export interface AuthDebuggerProps {
   serverUrl: string;
   onBack: () => void;
   authState: AuthDebuggerState;
   updateAuthState: (updates: Partial<AuthDebuggerState>) => void;
+  connectionType: "direct" | "proxy";
+  config: InspectorConfig;
 }
 
 interface StatusMessageProps {
@@ -60,6 +63,8 @@ const AuthDebugger = ({
   onBack,
   authState,
   updateAuthState,
+  connectionType,
+  config,
 }: AuthDebuggerProps) => {
   // Check for existing tokens on mount
   useEffect(() => {
@@ -103,8 +108,9 @@ const AuthDebugger = ({
   }, [serverUrl, updateAuthState]);
 
   const stateMachine = useMemo(
-    () => new OAuthStateMachine(serverUrl, updateAuthState),
-    [serverUrl, updateAuthState],
+    () =>
+      new OAuthStateMachine(serverUrl, updateAuthState, connectionType, config),
+    [serverUrl, updateAuthState, connectionType, config],
   );
 
   const proceedToNextStep = useCallback(async () => {
@@ -150,11 +156,16 @@ const AuthDebugger = ({
         latestError: null,
       };
 
-      const oauthMachine = new OAuthStateMachine(serverUrl, (updates) => {
-        // Update our temporary state during the process
-        currentState = { ...currentState, ...updates };
-        // But don't call updateAuthState yet
-      });
+      const oauthMachine = new OAuthStateMachine(
+        serverUrl,
+        (updates) => {
+          // Update our temporary state during the process
+          currentState = { ...currentState, ...updates };
+          // But don't call updateAuthState yet
+        },
+        connectionType,
+        config,
+      );
 
       // Manually step through each stage of the OAuth flow
       while (currentState.oauthStep !== "complete") {

client/src/lib/__tests__/auth.test.ts

@@ -1,5 +1,6 @@
 import { discoverScopes } from "../auth";
 import { discoverAuthorizationServerMetadata } from "@modelcontextprotocol/sdk/client/auth.js";
+import { InspectorConfig } from "../configurationTypes";
 
 jest.mock("@modelcontextprotocol/sdk/client/auth.js", () => ({
   discoverAuthorizationServerMetadata: jest.fn(),
@@ -10,6 +11,39 @@ const mockDiscoverAuth =
     typeof discoverAuthorizationServerMetadata
   >;
 
+const mockConfig: InspectorConfig = {
+  MCP_SERVER_REQUEST_TIMEOUT: {
+    label: "Request Timeout",
+    description: "Timeout for MCP requests",
+    value: 30000,
+    is_session_item: false,
+  },
+  MCP_REQUEST_TIMEOUT_RESET_ON_PROGRESS: {
+    label: "Reset Timeout on Progress",
+    description: "Reset timeout on progress notifications",
+    value: true,
+    is_session_item: false,
+  },
+  MCP_REQUEST_MAX_TOTAL_TIMEOUT: {
+    label: "Max Total Timeout",
+    description: "Maximum total timeout",
+    value: 300000,
+    is_session_item: false,
+  },
+  MCP_PROXY_FULL_ADDRESS: {
+    label: "Proxy Address",
+    description: "Full address of the MCP proxy",
+    value: "http://localhost:6277",
+    is_session_item: false,
+  },
+  MCP_PROXY_AUTH_TOKEN: {
+    label: "Proxy Auth Token",
+    description: "Authentication token for the proxy",
+    value: "",
+    is_session_item: false,
+  },
+};
+
 const baseMetadata = {
   issuer: "https://test.com",
   authorization_endpoint: "https://test.com/authorize",
@@ -129,7 +163,12 @@ describe("discoverScopes", () => {
     }) => {
       mockDiscoverAuth.mockResolvedValue(mockResolves);
 
-      const result = await discoverScopes(serverUrl, resourceMetadata);
+      const result = await discoverScopes(
+        serverUrl,
+        "direct",
+        mockConfig,
+        resourceMetadata,
+      );
 
       expect(result).toBe(expected);
       if (expectedCallUrl) {
@@ -147,7 +186,12 @@ describe("discoverScopes", () => {
         mockDiscoverAuth.mockResolvedValue(mockResolves);
       }
 
-      const result = await discoverScopes(serverUrl, resourceMetadata);
+      const result = await discoverScopes(
+        serverUrl,
+        "direct",
+        mockConfig,
+        resourceMetadata,
+      );
 
       expect(result).toBeUndefined();
     },