OAuth (MCP): Pre‑configured “static client” flow crashes because token_endpoint_auth_method is undefined

[matthisholleville]

What happened?

When I supply a fully‑configured OAuth block for an MCP server (i.e. authorization_url, token_url, client_id, optionally client_secret) LibreChat should skip Dynamic Client Registration and open the authorization page directly.

Instead, the backend throws a TypeError and the pop‑up never appears.

Possible root cause :

In packages/api/src/mcp/oauth/handler.ts (initiateOAuthFlow):

if (config?.authorization_url && config?.token_url && config?.client_id) {
  const clientInfo: OAuthClientInformation = {
    client_id: config.client_id,
    client_secret: config.client_secret,
    redirect_uris: [ ... ],
    scope: config.scope,
    // ↓ missing
    // token_endpoint_auth_method: config.client_secret
    //   ? 'client_secret_basic'
    //   : 'none',
  };
  ...
}

token_endpoint_auth_method is left undefined; later, startAuthorization() in the SDK does
clientInformation.token_endpoint_auth_method?.includes('client_secret').
Because optional chaining is not used in the shipped JS (compiled to .includes directly), we get the TypeError.

already read the documentation on this subject, which didn't help me

Version Information

ghcr.io/danny-avila/librechat-dev-api:2e1874e596017b5b54fff26d526a6502ec930861

Steps to Reproduce

1. Using docker-compose mode
2. Use this MCP configuration

mcpServers:
  tools:
    type: sse
    url: http://host.docker.internal:3090/sse
    oauth:
      authorization_url: https://okta.com/oauth2/default/v1/authorize
      token_url:         https://okta.com/oauth2/default/v1/token
      client_id:         xxxxxxx
      client_secret:     super‑secret‑value       # optional, same issue without it
      scope:             "openid profile email"
      redirect_uri:      http://localhost:3080/api/mcp/tools/oauth/callback

3. Start LibreChat → watch API logs.

TypeError: Cannot read properties of undefined (reading 'includes')
    at startAuthorization (/app/node_modules/@modelcontextprotocol/sdk/dist/cjs/client/auth.js:272:58)
    at ...

---

Expected behaviour

LibreChat should:

• detect the pre‑configured client
• generate the /authorize URL with PKCE
• open the external Okta login window.

What browsers are you seeing the problem on?

No response

Relevant log output

N/A

Screenshots

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

We can't help resolve the issue without:

1. The MCP server being used, or at least a minimal reproduction of it
   a. any setup steps to stand it up exactly as you have (in this case, okta configuration)
2. You confirming it works with MCP Inspector

Also it seems that underlying feature may not even be supported by the model context protocol:

modelcontextprotocol/modelcontextprotocol#573

[matthisholleville]

@danny-avila. I managed to get it working with Okta SSO. Not without some effort, but it’s working.

A few questions:

1. The manual validation from the console log at startup only needs to be done once, right?
2. If I have multiple replicas running in parallel, do I only need to validate it on one replica?
3. Where the token is stored ? In Database ?

[cotto211]

Joining the discussion as we're facing the same problem.
To help reproduce the issue we created two minimal repositories:

• A minimal MCP server
• Static OAuth server

How to reproduce the error:

1. Start the auth server
2. Start the MCP server
3. In the librechat.yaml add the following MCP configuration:

mcpServers:
  mcp-dummy:
    url: http://host.docker.internal:8080/sse
    oauth:
      client_id: "mcp-client"
      client_secret: "mcp-secret"
      authorization_url: "http://host.docker.internal:9000/oauth2/authorize"
      token_url: "http://host.docker.internal:9000/oauth2/token"

4. Start LibreChat and watch the logs for:

 info: [MCP][mcp-dummy] Creating SSE transport: http://host.docker.internal:8080/sse
LibreChat         | 2025-08-05 12:52:43 error: [MCP][mcp-dummy] Transport error: SSE error: Non-200 status code (401)
LibreChat         | 2025-08-05 12:52:43 warn: [MCP][mcp-dummy] OAuth authentication error detected
LibreChat         | 2025-08-05 12:52:43 warn: [MCP][mcp-dummy] OAuth authentication required
LibreChat         | 2025-08-05 12:52:43 error: [MCPOAuth] Failed to initiate OAuth flow
LibreChat         | 2025-08-05 12:52:43 error: [MCP][mcp-dummy] Failed to complete OAuth flow for mcp-dummy Cannot read properties of undefined (reading 'includes')

Let me know if more details are needed.

[danny-avila]

More fields are now configurable on the latest version for static oauth configs:

https://www.librechat.ai/docs/configuration/librechat_yaml/object_structure/mcp_servers#oauth