fix: ensure DCR always registers both redirect URIs#1173
Merged
cliffhall merged 1 commit intoApr 2, 2026
Conversation
The `redirect_uris` getter used `this.redirectUrl`, which is overridden by `DebugInspectorOAuthClientProvider` to return `/oauth/callback/debug`. This caused the `Set` deduplication to collapse both URIs into one, so DCR only registered `/oauth/callback/debug`. The normal connection flow then sent `/oauth/callback` in the authorize request, which was never registered — causing spec-compliant OAuth servers to reject it. Use the base callback URLs directly instead of the polymorphic getter so both URIs are always registered regardless of which subclass initiates DCR. Fixes modelcontextprotocol#930
cliffhall
approved these changes
Apr 2, 2026
Member
cliffhall
left a comment
cliffhall
left a comment
There was a problem hiding this comment.
LGTM! 👍
I don't really like it, but we're moving away from DCR anyway. IMO, the real fix would be to manage local storage differently for debug vs non-debug runs.
@BobDickinson something to watch out for on V2.
Contributor
Author
Is that in favour of CIMD? https://www.ietf.org/archive/id/draft-parecki-oauth-client-id-metadata-document-00.html |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a redirect_uri mismatch between Dynamic Client Registration and the authorize request, caused by the
redirect_urisgetter using a polymorphicthis.redirectUrlthat the debug subclass overrides.Type of Change
Changes Made
The
redirect_urisgetter inInspectorOAuthClientProviderusedthis.redirectUrl, whichDebugInspectorOAuthClientProvideroverrides to return/oauth/callback/debug. This causedSetdeduplication to collapse both URIs into one during DCR, so only/oauth/callback/debugwas registered. The normal connection flow then sentredirect_uri=/oauth/callbackin the authorize request — which was never registered — causing spec-compliant OAuth servers to reject it.The fix references the base callback URLs directly instead of going through the polymorphic getter, ensuring both
/oauth/callbackand/oauth/callback/debugare always registered.Related Issues
Fixes #930
Testing
Test Results and/or Instructions
npm run dev/oauth/callbackand/oauth/callback/debugredirect_urimatches one of the registered URIsChecklist
npm run prettier-fix)Breaking Changes
None.
Additional Context
This was introduced by the fix for #825 (duplicate redirect URIs). That fix correctly deduplicated, but didn't account for the polymorphic override collapsing both URIs into one. See root cause analysis comment.