feat: integrate OAuth proxy support into OAuth flow

- Update OAuthStateMachine to accept connectionType and config parameters
- Conditionally route OAuth operations through proxy when connectionType is 'proxy'
- Pass connectionType and config from App.tsx through AuthDebugger to state machine
- Fix auth.ts to make scope optional per RFC 7591
- Maintain backward compatibility with direct connections
- Follow same pattern as existing MCP server proxy connections

Author: asoorm

client/src/App.tsx

@@ -499,9 +499,14 @@ const App = () => {
         };
 
         try {
-          const stateMachine = new OAuthStateMachine(sseUrl, (updates) => {
-            currentState = { ...currentState, ...updates };
-          });
+          const stateMachine = new OAuthStateMachine(
+            sseUrl,
+            (updates) => {
+              currentState = { ...currentState, ...updates };
+            },
+            connectionType,
+            config,
+          );
 
           while (
             currentState.oauthStep !== "complete" &&
@@ -917,6 +922,8 @@ const App = () => {
         onBack={() => setIsAuthDebuggerVisible(false)}
         authState={authState}
         updateAuthState={updateAuthState}
+        connectionType={connectionType}
+        config={config}
       />
     </TabsContent>
   );

client/src/components/AuthDebugger.tsx

@@ -7,12 +7,15 @@ import { OAuthFlowProgress } from "./OAuthFlowProgress";
 import { OAuthStateMachine } from "../lib/oauth-state-machine";
 import { SESSION_KEYS } from "../lib/constants";
 import { validateRedirectUrl } from "@/utils/urlValidation";
+import { InspectorConfig } from "../lib/configurationTypes";
 
 export interface AuthDebuggerProps {
   serverUrl: string;
   onBack: () => void;
   authState: AuthDebuggerState;
   updateAuthState: (updates: Partial<AuthDebuggerState>) => void;
+  connectionType: "direct" | "proxy";
+  config: InspectorConfig;
 }
 
 interface StatusMessageProps {
@@ -60,6 +63,8 @@ const AuthDebugger = ({
   onBack,
   authState,
   updateAuthState,
+  connectionType,
+  config,
 }: AuthDebuggerProps) => {
   // Check for existing tokens on mount
   useEffect(() => {
@@ -103,8 +108,9 @@ const AuthDebugger = ({
   }, [serverUrl, updateAuthState]);
 
   const stateMachine = useMemo(
-    () => new OAuthStateMachine(serverUrl, updateAuthState),
-    [serverUrl, updateAuthState],
+    () =>
+      new OAuthStateMachine(serverUrl, updateAuthState, connectionType, config),
+    [serverUrl, updateAuthState, connectionType, config],
   );
 
   const proceedToNextStep = useCallback(async () => {
@@ -150,11 +156,16 @@ const AuthDebugger = ({
         latestError: null,
       };
 
-      const oauthMachine = new OAuthStateMachine(serverUrl, (updates) => {
-        // Update our temporary state during the process
-        currentState = { ...currentState, ...updates };
-        // But don't call updateAuthState yet
-      });
+      const oauthMachine = new OAuthStateMachine(
+        serverUrl,
+        (updates) => {
+          // Update our temporary state during the process
+          currentState = { ...currentState, ...updates };
+          // But don't call updateAuthState yet
+        },
+        connectionType,
+        config,
+      );
 
       // Manually step through each stage of the OAuth flow
       while (currentState.oauthStep !== "complete") {

client/src/components/ui/button.tsx

@@ -35,8 +35,7 @@ const buttonVariants = cva(
 );
 
 export interface ButtonProps
-  extends
-    React.ButtonHTMLAttributes<HTMLButtonElement>,
+  extends React.ButtonHTMLAttributes<HTMLButtonElement>,
     VariantProps<typeof buttonVariants> {
   asChild?: boolean;
 }

client/src/lib/auth.ts

@@ -153,15 +153,21 @@ export class InspectorOAuthClientProvider implements OAuthClientProvider {
   }
 
   get clientMetadata(): OAuthClientMetadata {
-    return {
+    const metadata: OAuthClientMetadata = {
       redirect_uris: this.redirect_uris,
       token_endpoint_auth_method: "none",
       grant_types: ["authorization_code", "refresh_token"],
       response_types: ["code"],
       client_name: "MCP Inspector",
       client_uri: "https://github.com/modelcontextprotocol/inspector",
-      scope: this.scope ?? "",
     };
+
+    // Only include scope if it has a value (RFC 7591 - scope is optional)
+    if (this.scope) {
+      metadata.scope = this.scope;
+    }
+
+    return metadata;
   }
 
   state(): string | Promise<string> {

client/src/lib/oauth-state-machine.ts

@@ -13,12 +13,21 @@ import {
   OAuthProtectedResourceMetadata,
 } from "@modelcontextprotocol/sdk/shared/auth.js";
 import { generateOAuthState } from "@/utils/oauthUtils";
+import { InspectorConfig } from "./configurationTypes";
+import {
+  discoverAuthorizationServerMetadataViaProxy,
+  discoverOAuthProtectedResourceMetadataViaProxy,
+  registerClientViaProxy,
+  exchangeAuthorizationViaProxy,
+} from "./oauth-proxy";
 
 export interface StateMachineContext {
   state: AuthDebuggerState;
   serverUrl: string;
   provider: DebugInspectorOAuthClientProvider;
   updateState: (updates: Partial<AuthDebuggerState>) => void;
+  connectionType: "direct" | "proxy";
+  config: InspectorConfig;
 }
 
 export interface StateTransition {
@@ -36,9 +45,18 @@ export const oauthTransitions: Record<OAuthStep, StateTransition> = {
       let resourceMetadata: OAuthProtectedResourceMetadata | null = null;
       let resourceMetadataError: Error | null = null;
       try {
-        resourceMetadata = await discoverOAuthProtectedResourceMetadata(
-          context.serverUrl,
-        );
+        // Use proxy if connectionType is "proxy"
+        if (context.connectionType === "proxy") {
+          resourceMetadata =
+            await discoverOAuthProtectedResourceMetadataViaProxy(
+              context.serverUrl,
+              context.config,
+            );
+        } else {
+          resourceMetadata = await discoverOAuthProtectedResourceMetadata(
+            context.serverUrl,
+          );
+        }
         if (resourceMetadata?.authorization_servers?.length) {
           authServerUrl = new URL(resourceMetadata.authorization_servers[0]);
         }
@@ -57,7 +75,15 @@ export const oauthTransitions: Record<OAuthStep, StateTransition> = {
         resourceMetadata ?? undefined,
       );
 
-      const metadata = await discoverAuthorizationServerMetadata(authServerUrl);
+      // Use proxy if connectionType is "proxy"
+      const metadata =
+        context.connectionType === "proxy"
+          ? await discoverAuthorizationServerMetadataViaProxy(
+              authServerUrl,
+              context.config,
+            )
+          : await discoverAuthorizationServerMetadata(authServerUrl);
+
       if (!metadata) {
         throw new Error("Failed to discover OAuth metadata");
       }
@@ -86,19 +112,33 @@ export const oauthTransitions: Record<OAuthStep, StateTransition> = {
         const scopesSupported =
           context.state.resourceMetadata?.scopes_supported ||
           metadata.scopes_supported;
-        // Add all supported scopes to client registration
-        if (scopesSupported) {
+        // Add all supported scopes to client registration (only if non-empty)
+        if (scopesSupported && scopesSupported.length > 0) {
           clientMetadata.scope = scopesSupported.join(" ");
         }
       }
 
       // Try Static client first, with DCR as fallback
       let fullInformation = await context.provider.clientInformation();
       if (!fullInformation) {
-        fullInformation = await registerClient(context.serverUrl, {
-          metadata,
-          clientMetadata,
-        });
+        // Use proxy if connectionType is "proxy"
+        if (context.connectionType === "proxy") {
+          if (!metadata.registration_endpoint) {
+            throw new Error(
+              "No registration endpoint available for dynamic client registration",
+            );
+          }
+          fullInformation = await registerClientViaProxy(
+            metadata.registration_endpoint,
+            clientMetadata,
+            context.config,
+          );
+        } else {
+          fullInformation = await registerClient(context.serverUrl, {
+            metadata,
+            clientMetadata,
+          });
+        }
         context.provider.saveClientInformation(fullInformation);
       }
 
@@ -178,18 +218,50 @@ export const oauthTransitions: Record<OAuthStep, StateTransition> = {
       const metadata = context.provider.getServerMetadata()!;
       const clientInformation = (await context.provider.clientInformation())!;
 
-      const tokens = await exchangeAuthorization(context.serverUrl, {
-        metadata,
-        clientInformation,
-        authorizationCode: context.state.authorizationCode,
-        codeVerifier,
-        redirectUri: context.provider.redirectUrl,
-        resource: context.state.resource
-          ? context.state.resource instanceof URL
-            ? context.state.resource
-            : new URL(context.state.resource)
-          : undefined,
-      });
+      let tokens;
+
+      // Use proxy if connectionType is "proxy"
+      if (context.connectionType === "proxy") {
+        // Build the token request parameters
+        const params: Record<string, string> = {
+          grant_type: "authorization_code",
+          code: context.state.authorizationCode,
+          redirect_uri: context.provider.redirectUrl,
+          code_verifier: codeVerifier,
+          client_id: clientInformation.client_id,
+        };
+
+        if (clientInformation.client_secret) {
+          params.client_secret = clientInformation.client_secret;
+        }
+
+        if (context.state.resource) {
+          const resourceUrl =
+            context.state.resource instanceof URL
+              ? context.state.resource.toString()
+              : context.state.resource;
+          params.resource = resourceUrl;
+        }
+
+        tokens = await exchangeAuthorizationViaProxy(
+          metadata.token_endpoint,
+          params,
+          context.config,
+        );
+      } else {
+        tokens = await exchangeAuthorization(context.serverUrl, {
+          metadata,
+          clientInformation,
+          authorizationCode: context.state.authorizationCode,
+          codeVerifier,
+          redirectUri: context.provider.redirectUrl,
+          resource: context.state.resource
+            ? context.state.resource instanceof URL
+              ? context.state.resource
+              : new URL(context.state.resource)
+            : undefined,
+        });
+      }
 
       context.provider.saveTokens(tokens);
       context.updateState({
@@ -211,6 +283,8 @@ export class OAuthStateMachine {
   constructor(
     private serverUrl: string,
     private updateState: (updates: Partial<AuthDebuggerState>) => void,
+    private connectionType: "direct" | "proxy",
+    private config: InspectorConfig,
   ) {}
 
   async executeStep(state: AuthDebuggerState): Promise<void> {
@@ -220,6 +294,8 @@ export class OAuthStateMachine {
       serverUrl: this.serverUrl,
       provider,
       updateState: this.updateState,
+      connectionType: this.connectionType,
+      config: this.config,
     };
 
     const transition = oauthTransitions[state.oauthStep];