inspector icon indicating copy to clipboard operation
inspector copied to clipboard
verified publisher icon modelcontextprotocol

CORS errors when using the "Quick OAuth Flow" auth troubleshooter

Open anthony-c-martin opened this issue 3 months ago • 8 comments

Inspector Version

0.16.7

Describe the bug

I'm trying to troubleshoot a new remote MCP server, and see this error message: Image

When I look at the browser logs, I see the following, indicating the web requests aren't actually failing - it's just being blocked by my browser's CORS policy:

Access to fetch at 'https://<redacted>/.well-known/oauth-protected-resource' from origin 'http://localhost:6274' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

To Reproduce Steps to reproduce the behavior:

  1. Add remote server, click 'Connect'
  2. Click on 'Auth'
  3. Scroll down to 'Quick OAuth Flow'
  4. See error

Expected behavior

  1. The app is able to make requests regardless of CORS policy, or instructions are provided on how to run it in a way to bypass.
  2. The error message is more descriptive of the problem, rather than indicating a generic problem has occurred.

Screenshots See above

Environment (please complete the following information):

  • OS: macOS (Tahoe 26.0)
  • Browser: Edge

Additional context N/A

anthony-c-martin avatar Sep 18 '25 12:09 anthony-c-martin

same in 0.16.8

Xueyao-Huang avatar Sep 25 '25 00:09 Xueyao-Huang

The app is able to make requests regardless of CORS policy, or instructions are provided on how to run it in a way to bypass.

@anthony-c-martin when you say "the app" do you mean a browser-based app or an app running as a service? The latter will not have any CORS-related issues, because that is a browser concern.

Any browser-based app will have a CORS issue connecting to any server that does not allow its origin to connect. It's not up to the Inspector or any browser-based app to set the CORS policy, that's the server's prerogative.

Have a look at the Everything reference server implementation and how it opens the CORS origin and headers it allows the browser to read.

cliffhall avatar Oct 04 '25 20:10 cliffhall

Closing this one. It seems as if your .well-known/oauth-protected-resource endpoint needs CORS config to allow all origins. It is a public metadata discovery mechanism.

Image

cliffhall avatar Oct 11 '25 16:10 cliffhall

Thanks for the guidance! I'll try out enabling the CORS config for the .well-known/oauth-protected-resource endpoint.

anthony-c-martin avatar Oct 12 '25 22:10 anthony-c-martin

@cliffhall Hi, I'm running into the same problem. CORS policy is blocking the metadata and oauth requests. Would it make sense to use the MCP proxy also for those? From my understanding the whole point of having a proxy is to "circumvent" the CORS policy for development as it is only relevant in browser environment.

ov-developer avatar Oct 17 '25 05:10 ov-developer

From my understanding the whole point of having a proxy is to "circumvent" the CORS policy for development as it is only relevant in browser environment.

The original point of the proxy was simply to support STDIO servers. You can't talk to them from a browser, you have to have a proxy.

I agree that it might be helpful to go through the proxy, and we may look into doing it, but, it would not be a simple change.

cliffhall avatar Oct 18 '25 19:10 cliffhall

Happy to implement this change, facing the same issue.

sambhav avatar Nov 14 '25 21:11 sambhav

Thanks for re-opening! It would definitely be a valuable feature to have.

anthony-c-martin avatar Nov 15 '25 01:11 anthony-c-martin