fix: remove Content-Type header from GET requests in OAuth metadata discovery

MumuTW · MumuTW · commit ee5e3d2299e4 · 2026-03-18T16:57:23.000Z
GET requests to /.well-known/oauth-authorization-server should not include a Content-Type header. Some authorization servers (e.g. Keycloak) respond with 415 Unsupported Media Type when a GET request carries Content-Type: application/json, breaking OAuth metadata discovery. Move Content-Type assignment inside the custom fetch wrapper so it is only applied when the request carries a body (i.e. POST), leaving GET requests header-clean. Fixes #1143
diff --git a/client/src/lib/hooks/useConnection.ts b/client/src/lib/hooks/useConnection.ts
@@ -582,16 +582,22 @@ export function useConnection({
         switch (transportType) {
           case "sse":
             requestHeaders["Accept"] = "text/event-stream";
-            requestHeaders["content-type"] = "application/json";
             transportOptions = {
               authProvider: serverAuthProvider,
               fetch: async (
                 url: string | URL | globalThis.Request,
                 init?: RequestInit,
               ) => {
+                const mergedHeaders = { ...requestHeaders };
+                // Only set Content-Type on requests with a body (e.g. POST).
+                // GET requests (such as OAuth metadata discovery) must not
+                // include Content-Type, as some servers reject it with 415.
+                if (init?.body) {
+                  mergedHeaders["content-type"] = "application/json";
+                }
                 const response = await fetch(url, {
                   ...init,
-                  headers: requestHeaders,
+                  headers: mergedHeaders,
                 });
 
                 // Capture protocol-related headers from response
@@ -611,11 +617,16 @@ export function useConnection({
                 url: string | URL | globalThis.Request,
                 init?: RequestInit,
               ) => {
-                requestHeaders["Accept"] =
-                  "text/event-stream, application/json";
-                requestHeaders["Content-Type"] = "application/json";
+                const mergedHeaders = { ...requestHeaders };
+                mergedHeaders["Accept"] = "text/event-stream, application/json";
+                // Only set Content-Type on requests with a body (e.g. POST).
+                // GET requests (such as OAuth metadata discovery) must not
+                // include Content-Type, as some servers reject it with 415.
+                if (init?.body) {
+                  mergedHeaders["Content-Type"] = "application/json";
+                }
                 const response = await fetch(url, {
-                  headers: requestHeaders,
+                  headers: mergedHeaders,
                   ...init,
                 });
 
