Merge branch 'main' into feat/oauth-scope-discovery-consistency

cliffhall · web-flow · commit 4c01cab15027 · 2025-08-13T16:30:37.000-04:00
diff --git a/cli/package.json b/cli/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@modelcontextprotocol/inspector-cli",
-  "version": "0.16.3",
+  "version": "0.16.4",
   "description": "CLI for the Model Context Protocol inspector",
   "license": "MIT",
   "author": "Anthropic, PBC (https://anthropic.com)",
@@ -21,7 +21,7 @@
   },
   "devDependencies": {},
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.17.0",
+    "@modelcontextprotocol/sdk": "^1.17.2",
     "commander": "^13.1.0",
     "spawn-rx": "^5.1.2"
   }
diff --git a/client/package.json b/client/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@modelcontextprotocol/inspector-client",
-  "version": "0.16.3",
+  "version": "0.16.4",
   "description": "Client-side application for the Model Context Protocol inspector",
   "license": "MIT",
   "author": "Anthropic, PBC (https://anthropic.com)",
@@ -25,7 +25,7 @@
     "cleanup:e2e": "node e2e/global-teardown.js"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.17.0",
+    "@modelcontextprotocol/sdk": "^1.17.2",
     "@radix-ui/react-checkbox": "^1.1.4",
     "@radix-ui/react-dialog": "^1.1.3",
     "@radix-ui/react-icons": "^1.3.0",
diff --git a/client/src/components/__tests__/AuthDebugger.test.tsx b/client/src/components/__tests__/AuthDebugger.test.tsx
@@ -503,6 +503,103 @@ describe("AuthDebugger", () => {
     });
   });
 
+  describe("Client Registration behavior", () => {
+    it("uses preregistered (static) client information without calling DCR", async () => {
+      const preregClientInfo = {
+        client_id: "static_client_id",
+        client_secret: "static_client_secret",
+        redirect_uris: ["http://localhost:3000/oauth/callback/debug"],
+      };
+
+      // Return preregistered client info for the server-specific key
+      sessionStorageMock.getItem.mockImplementation((key) => {
+        if (
+          key ===
+          `[${defaultProps.serverUrl}] ${SESSION_KEYS.PREREGISTERED_CLIENT_INFORMATION}`
+        ) {
+          return JSON.stringify(preregClientInfo);
+        }
+        return null;
+      });
+
+      const updateAuthState = jest.fn();
+
+      await act(async () => {
+        renderAuthDebugger({
+          updateAuthState,
+          authState: {
+            ...defaultAuthState,
+            isInitiatingAuth: false,
+            oauthStep: "client_registration",
+            oauthMetadata: mockOAuthMetadata as unknown as OAuthMetadata,
+          },
+        });
+      });
+
+      // Proceed from client_registration → authorization_redirect
+      await act(async () => {
+        fireEvent.click(screen.getByText("Continue"));
+      });
+
+      // Should NOT attempt dynamic client registration
+      expect(mockRegisterClient).not.toHaveBeenCalled();
+
+      // Should advance with the preregistered client info
+      expect(updateAuthState).toHaveBeenCalledWith(
+        expect.objectContaining({
+          oauthClientInfo: expect.objectContaining({
+            client_id: "static_client_id",
+          }),
+          oauthStep: "authorization_redirect",
+        }),
+      );
+    });
+
+    it("falls back to DCR when no static client information is available", async () => {
+      // No preregistered or dynamic client info present in session storage
+      sessionStorageMock.getItem.mockImplementation(() => null);
+
+      // DCR returns a new client
+      mockRegisterClient.mockResolvedValueOnce(mockOAuthClientInfo);
+
+      const updateAuthState = jest.fn();
+
+      await act(async () => {
+        renderAuthDebugger({
+          updateAuthState,
+          authState: {
+            ...defaultAuthState,
+            isInitiatingAuth: false,
+            oauthStep: "client_registration",
+            oauthMetadata: mockOAuthMetadata as unknown as OAuthMetadata,
+          },
+        });
+      });
+
+      await act(async () => {
+        fireEvent.click(screen.getByText("Continue"));
+      });
+
+      expect(mockRegisterClient).toHaveBeenCalledTimes(1);
+
+      // Should save and advance with the DCR client info
+      expect(updateAuthState).toHaveBeenCalledWith(
+        expect.objectContaining({
+          oauthClientInfo: expect.objectContaining({
+            client_id: "test_client_id",
+          }),
+          oauthStep: "authorization_redirect",
+        }),
+      );
+
+      // Verify the dynamically registered client info was persisted
+      expect(sessionStorage.setItem).toHaveBeenCalledWith(
+        `[${defaultProps.serverUrl}] ${SESSION_KEYS.CLIENT_INFORMATION}`,
+        expect.any(String),
+      );
+    });
+  });
+
   describe("OAuth State Persistence", () => {
     it("should store auth state to sessionStorage before redirect in Quick OAuth Flow", async () => {
       const updateAuthState = jest.fn();
diff --git a/client/src/lib/auth.ts b/client/src/lib/auth.ts
@@ -169,6 +169,12 @@ export class InspectorOAuthClientProvider implements OAuthClientProvider {
   }
 
   redirectToAuthorization(authorizationUrl: URL) {
+    if (
+      authorizationUrl.protocol !== "http:" &&
+      authorizationUrl.protocol !== "https:"
+    ) {
+      throw new Error("Authorization URL must be HTTP or HTTPS");
+    }
     window.location.href = authorizationUrl.href;
   }
 
diff --git a/client/src/lib/hooks/useConnection.ts b/client/src/lib/hooks/useConnection.ts
@@ -369,6 +369,7 @@ export function useConnection({
       return;
     }
 
+    let lastRequest = "";
     try {
       // Inject auth manually instead of using SSEClientTransport, because we're
       // proxying through the inspector server first.
@@ -582,7 +583,9 @@ export function useConnection({
       }
 
       if (capabilities?.logging && defaultLoggingLevel) {
+        lastRequest = "logging/setLevel";
         await client.setLoggingLevel(defaultLoggingLevel);
+        lastRequest = "";
       }
 
       if (onElicitationRequest) {
@@ -596,6 +599,17 @@ export function useConnection({
       setMcpClient(client);
       setConnectionStatus("connected");
     } catch (e) {
+      if (
+        lastRequest === "logging/setLevel" &&
+        e instanceof McpError &&
+        e.code === ErrorCode.MethodNotFound
+      ) {
+        toast({
+          title: "Error",
+          description: `Server declares logging capability but doesn't implement method: "${lastRequest}"`,
+          variant: "destructive",
+        });
+      }
       console.error(e);
       setConnectionStatus("error");
     }
diff --git a/client/src/lib/oauth-state-machine.ts b/client/src/lib/oauth-state-machine.ts
@@ -89,12 +89,16 @@ export const oauthTransitions: Record<OAuthStep, StateTransition> = {
         clientMetadata.scope = scopesSupported.join(" ");
       }
 
-      const fullInformation = await registerClient(context.serverUrl, {
-        metadata,
-        clientMetadata,
-      });
+      // Try Static client first, with DCR as fallback
+      let fullInformation = await context.provider.clientInformation();
+      if (!fullInformation) {
+        fullInformation = await registerClient(context.serverUrl, {
+          metadata,
+          clientMetadata,
+        });
+        context.provider.saveClientInformation(fullInformation);
+      }
 
-      context.provider.saveClientInformation(fullInformation);
       context.updateState({
         oauthClientInfo: fullInformation,
         oauthStep: "authorization_redirect",
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@modelcontextprotocol/inspector",
-  "version": "0.16.3",
+  "version": "0.16.4",
   "description": "Model Context Protocol inspector",
   "license": "MIT",
   "author": "Anthropic, PBC (https://anthropic.com)",
@@ -47,9 +47,9 @@
     "check-version": "node scripts/check-version-consistency.js"
   },
   "dependencies": {
-    "@modelcontextprotocol/inspector-cli": "^0.16.3",
-    "@modelcontextprotocol/inspector-client": "^0.16.3",
-    "@modelcontextprotocol/inspector-server": "^0.16.3",
+    "@modelcontextprotocol/inspector-cli": "^0.16.4",
+    "@modelcontextprotocol/inspector-client": "^0.16.4",
+    "@modelcontextprotocol/inspector-server": "^0.16.4",
     "@modelcontextprotocol/sdk": "^1.17.2",
     "concurrently": "^9.2.0",
     "open": "^10.2.0",
diff --git a/server/package.json b/server/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@modelcontextprotocol/inspector-server",
-  "version": "0.16.3",
+  "version": "0.16.4",
   "description": "Server-side application for the Model Context Protocol inspector",
   "license": "MIT",
   "author": "Anthropic, PBC (https://anthropic.com)",
@@ -27,7 +27,7 @@
     "typescript": "^5.6.2"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.17.0",
+    "@modelcontextprotocol/sdk": "^1.17.2",
     "cors": "^2.8.5",
     "express": "^5.1.0",
     "ws": "^8.18.0",

Original file line number	Diff line number	Diff line change
`@@ -169,6 +169,12 @@ export class InspectorOAuthClientProvider implements OAuthClientProvider {`
`169`	`169`	`}`
`170`	`170`
`171`	`171`	`redirectToAuthorization(authorizationUrl: URL) {`
	`172`	`+ if (`
	`173`	`+ authorizationUrl.protocol !== "http:" &&`
	`174`	`+ authorizationUrl.protocol !== "https:"`
	`175`	`+ ) {`
	`176`	`+ throw new Error("Authorization URL must be HTTP or HTTPS");`
	`177`	`+ }`
`172`	`178`	`window.location.href = authorizationUrl.href;`
`173`	`179`	`}`
`174`	`180`