inspector icon indicating copy to clipboard operation
inspector copied to clipboard
verified publisher icon modelcontextprotocol

OAuth Flow Metadata Discovery & DCR inconsistent behavior per call for HTTP header allow origin

Open symdeb opened this issue 4 months ago • 5 comments

Describe the bug

To set the response headers on a hosted website (with PHP) , setting the header Header set Access-Control-Allow-Origin "*" result in that Metadata Discovery failure. This same header MUST be set for /register call to pass (when not set it fails) when it send OPTIONS to the site. This is a catch22. It's not possible to set different security headers per API call.

To Reproduce

A. On a local machine run the inspector B. Install an OAUTH2 server that also supports DCR. C. Run the inspector Oauth2 cycle (keep client ID empty otherwise inspector will not call the register endpoint)

  1. Add to .htaccess on the server (website) .htaccess Header set Access-Control-Allow-Origin "*" Inspector Metadiscovery fails with Error: Failed to discover OAuth metadata

  2. Remove the header. Inspector Metadiscovery passes, shows "OAuth Metadata Sources"

  3. Going next, client registration to API endpoint /register fails with Error: Failed to fetch

  4. Add to .htaccess on the website Header set Access-Control-Allow-Origin "*" Repeat next step for client registration call /register register passes

  5. From here next steps continue normally (login screen on the authentication site...etc..)

NO OTHER CHANGES THEN ADD/REMOVE THE HEADER IN .HTACCESS WERE MADE

It seems Inconsistent behavior/expectation of inspector for expected header per API call
While the call to /..well-known/ discovering the authorization server does not accept this header, the PREFLIGHT OPTIONS call to /register call requires it.

Expected behavior consistent behavior of inspector for expected headers per API call. suggest remove the requirement for inspector to check on the Access-Control-Allow-Origin header, it may cause multiple issues with different servers.

Logs N/A

Additional context [1] The MCP server is hosted on hostgator. [2] For Header set Access-Control-Allow-Origin "*" only one option is allowed. Since the caller can be from any site , "*" is used here. [3] the PHP set header () function has no effect on returned headers, only the one define in .htaccess or in server's configuration files works. These are STATIC values and CANNOT be dynamically changed based on the calling IP/hostm url or call (OPTION, GET or POST). [3] Why does a returned Header set Access-Control-Allow-Origin "*" fail for the call to .welknown url ?

symdeb avatar Aug 26 '25 15:08 symdeb

Could someone confirm this issue is valid ? It is quite annoying to have to change the .htaccess file for the auth server discovery and register call each time manually on the server. Even setting the Origin header to http://localhost:6274/ on the public server sill results in a metadata error.

Image

symdeb avatar Aug 29 '25 13:08 symdeb

Thanks @symdeb , to diagnose this further it would help to have:

  1. Could you get browser network logs from the Network tab when you reproduce the issue, and share screenshots or HAR file showing:

    • The failing metadata discovery request (with headers)
    • The working /register request (with headers)
    • Any OPTIONS preflight requests

  2. You mentioned it's PHP on HostGator, but which OAuth implementation are you using?

  3. Try setting all CORS headers, not just Origin? eg:

    Header set Access-Control-Allow-Origin "http://localhost:6274"
Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
Header set Access-Control-Allow-Headers "Content-Type, Authorization"

olaservo avatar Aug 30 '25 13:08 olaservo

Will get the logs but for the moment

  1. ALL the request are 100% exactly the same for success and failure, the ONLY different is removing/adding the Header set Access-Control-Allow-Origin line in .htaccess on the host

  2. Own PHP based OAUTH2 implementation that works fine with a multiple other services in the past 10 years or so (Amazon, Google etc..)

  3. The case was already isolated to only the Origin header as the differentatior. The other two are always set

  4. Question: Has Inspector been tested with other shared hosting solutions ? if not, perhaps give it a try ?

5.Question: what does inspector expect ? Does it expect the same headers for the discovery, register and other calls ?

symdeb avatar Sep 18 '25 07:09 symdeb

Here are the logs at the server, Once again with/without origin refers here to adding the line Access-Control-Allow-Origin "*" in htaccess or not. It's the only difference. MCP inspector 0.16.8. Note: The IP address and host name are masked in the file.

oauth.zip

Image Image

symdeb avatar Sep 19 '25 11:09 symdeb

Progress ? Anyone could replicate this ?

symdeb avatar Oct 14 '25 04:10 symdeb