fix: store resource in session storage

Author: jneums

client/src/lib/auth.ts

@@ -131,10 +131,41 @@ export class DebugInspectorOAuthClientProvider extends InspectorOAuthClientProvi
     return JSON.parse(metadata);
   }
 
+  /**
+   * Saves the resource URL to session storage to persist it across the redirect.
+   */
+  saveResource(resource: URL): void {
+    const key = getServerSpecificKey(
+      SESSION_KEYS.RESOURCE_URL,
+      this.serverUrl,
+    );
+    sessionStorage.setItem(key, resource.toString());
+  }
+
+  /**
+   * Retrieves the persisted resource URL from session storage.
+   */
+  getResource(): URL | undefined {
+    const key = getServerSpecificKey(
+      SESSION_KEYS.RESOURCE_URL,
+      this.serverUrl,
+    );
+    const urlString = sessionStorage.getItem(key);
+    if (!urlString) {
+      return undefined;
+    }
+    return new URL(urlString);
+  }
+
   clear() {
     super.clear();
     sessionStorage.removeItem(
       getServerSpecificKey(SESSION_KEYS.SERVER_METADATA, this.serverUrl),
     );
+
+    // Also clear the resource URL
+    sessionStorage.removeItem(
+      getServerSpecificKey(SESSION_KEYS.RESOURCE_URL, this.serverUrl),
+    );
   }
 }

client/src/lib/constants.ts

@@ -8,6 +8,7 @@ export const SESSION_KEYS = {
   CLIENT_INFORMATION: "mcp_client_information",
   SERVER_METADATA: "mcp_server_metadata",
   AUTH_DEBUGGER_STATE: "mcp_auth_debugger_state",
+  RESOURCE_URL: "mcp_resource_url",
 } as const;
 
 // Generate server-specific session storage keys

client/src/lib/oauth-state-machine.ts

@@ -56,6 +56,11 @@ export const oauthTransitions: Record<OAuthStep, StateTransition> = {
         resourceMetadata ?? undefined,
       );
 
+      // Persist the resource URL so it survives the redirect.
+      if (resource) {
+        context.provider.saveResource(resource);
+      }
+
       const metadata = await discoverOAuthMetadata(authServerUrl);
       if (!metadata) {
         throw new Error("Failed to discover OAuth metadata");
@@ -165,13 +170,16 @@ export const oauthTransitions: Record<OAuthStep, StateTransition> = {
       const metadata = context.provider.getServerMetadata()!;
       const clientInformation = (await context.provider.clientInformation())!;
 
+      // Retrieve the resource from persistent storage, not volatile state.
+      const resource = context.provider.getResource();
+
       const tokens = await exchangeAuthorization(context.serverUrl, {
         metadata,
         clientInformation,
         authorizationCode: context.state.authorizationCode,
         codeVerifier,
         redirectUri: context.provider.redirectUrl,
-        resource: context.state.resource ?? undefined,
+        resource: resource ?? undefined,
       });
 
       context.provider.saveTokens(tokens);