Skip to content

Fix OAuth redirect URI mismatch in debug flow #801

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix OAuth redirect URI mismatch in debug flow #801

wants to merge 1 commit into from

Conversation

bhosmer-ant
Copy link
Contributor

@bhosmer-ant bhosmer-ant commented Sep 13, 2025
edited
Loading

Summary

  • Registers both normal (/oauth/callback) and debug (/oauth/callback/debug) redirect URIs in OAuth client metadata
  • Prevents redirect URI mismatch errors when switching between connection flow and Auth tab debug mode
  • Adds debugRedirectUrl getter to base class for cleaner code organization

Problem

Steps to reproduce:

  1. Connect to a server with auth (e.g. the one defined in https://github.com/modelcontextprotocol/example-remote-server)
  2. Go through the OAuth flow on connection. This uses the /oauth/callback endpoint
  3. Go to the Auth tab and choose either Quick Refresh or Guided Token Refresh. This attempts to use the /oauth/callback/debug endpoint on the current client, resulting in an "unregistered redirect uri" error
  4. Reconnect. This clears the current client and does not reauthorize on connection
  5. Go to the Auth tab and choose either Quick Refresh or Guided Token Refresh. A new client is created with the /oauth/callback/debug endpoint registered. Flow works normally

Root cause:

The OAuth client was only registering the /oauth/callback redirect URI at connection time, but the Auth tab's debug flows require /oauth/callback/debug. This caused a redirect URI mismatch error.

Fix:

Register both /oauth/callback and /oauth/callback/debug redirect URIs at connection time, making both endpoints available for all OAuth flows.

Test plan

  • Test normal OAuth connection flow works
  • Test Auth tab debug mode OAuth flow works
  • Verify both redirect URIs are registered in client metadata

@bhosmer-ant
Fix OAuth redirect URI mismatch in debug flow
70ddef2 
Register both normal and debug redirect URIs in client metadata to prevent mismatch errors when using the Auth tab's debug mode versus normal connection flow.
@github-actions GitHub Actions
Copy link

🎭 Playwright E2E Test Results

✅  24 passed

Details

24 tests across 3 suites
 35.5 seconds
 70ddef2
ℹ️  Test Environment: Ubuntu Latest, Node.js v22.19.0
Browsers: Chromium, Firefox

📊 View Detailed HTML Report (download artifacts)

max-stytch
max-stytch approved these changes Sep 16, 2025
View reviewed changes
Copy link
Contributor

@max-stytch max-stytch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pcarleton pcarleton Awaiting requested review from pcarleton

1 more reviewer

@max-stytch max-stytch max-stytch approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bhosmer-ant @max-stytch