inspector icon indicating copy to clipboard operation
inspector copied to clipboard
verified publisher icon modelcontextprotocol

Missing state in OAuth requests

Open phuctm97 opened this issue 7 months ago • 1 comments

Describe the bug

The MCP inspector is not sending state query param with OAuth requests, which makes it incompatible with some OAuth servers that require state

To Reproduce Steps to reproduce the behavior:

  1. Create an MCP server with OAuth implementation that requires state
  2. Connect to the MCP server in the inspector
  3. Go through the OAuth flow
  4. Got an error invalid_state because there is no state query parameter sent in the /authorize request

Expected behavior

state should always be sent to ensure maximum compatibility

phuctm97 avatar May 26 '25 03:05 phuctm97

@phuctm97: I have a PR for this in the mcp-auth fork at https://github.com/mcp-auth/inspector/pull/3. I haven't tested yet whether this change applies cleanly to the canonical modelcontextprotocol repo here.

msabramo avatar May 31 '25 07:05 msabramo

We're encountering the same issue, important to get this merged as some auth libs like ory.sh require state.

pete001 avatar Jun 25 '25 13:06 pete001

Hi, most OAuth providers will require a state parameter. Hit this wall as well. This one would be a blocker to auth. Not having state means CSRF vector potential and thus most OAuth providers + libraries will require it.

KKonstantinov avatar Jul 03 '25 09:07 KKonstantinov

Have opened https://github.com/modelcontextprotocol/inspector/pull/615 for this.

KKonstantinov avatar Jul 13 '25 05:07 KKonstantinov

Thanks for merging. :) This can be closed now.

KKonstantinov avatar Aug 08 '25 21:08 KKonstantinov