From abe1cf9b4f4cfeb7de317824b350534fcb5b9c5b Mon Sep 17 00:00:00 2001
From: Ahmet Soormally <ahmet@mangomm.co.uk>
Date: Thu, 2 Apr 2026 15:42:20 +0100
Subject: [PATCH] fix: ensure DCR always registers both redirect URIs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The `redirect_uris` getter used `this.redirectUrl`, which is overridden
by `DebugInspectorOAuthClientProvider` to return `/oauth/callback/debug`.
This caused the `Set` deduplication to collapse both URIs into one,
so DCR only registered `/oauth/callback/debug`. The normal connection
flow then sent `/oauth/callback` in the authorize request, which was
never registered — causing spec-compliant OAuth servers to reject it.

Use the base callback URLs directly instead of the polymorphic getter
so both URIs are always registered regardless of which subclass
initiates DCR.

Fixes #930
---
 client/src/lib/auth.ts | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/client/src/lib/auth.ts b/client/src/lib/auth.ts
index 879936104..b8366ef6e 100644
--- a/client/src/lib/auth.ts
+++ b/client/src/lib/auth.ts
@@ -146,10 +146,15 @@ export class InspectorOAuthClientProvider implements OAuthClientProvider {
   }
 
   get redirect_uris() {
-    // Normally register both redirect URIs to support both normal and debug flows
-    // In debug subclass, redirectUrl may be the same as debugRedirectUrl, so remove duplicates
+    // Always register both redirect URIs to support both normal and debug flows.
+    // Use the base URLs directly (not this.redirectUrl) to avoid the debug subclass
+    // override collapsing both URIs into one, which causes the normal flow's
+    // /authorize request to use an unregistered redirect_uri.
     // See: https://github.com/modelcontextprotocol/inspector/issues/825
-    return [...new Set([this.redirectUrl, this.debugRedirectUrl])];
+    // See: https://github.com/modelcontextprotocol/inspector/issues/930
+    const callbackUrl = window.location.origin + "/oauth/callback";
+    const debugCallbackUrl = window.location.origin + "/oauth/callback/debug";
+    return [callbackUrl, debugCallbackUrl];
   }
 
   get clientMetadata(): OAuthClientMetadata {