[Auth] Fails to Use JWT Token, Enters Infinite OAuth Loop

[Grebyn35]

MCP Tool Inspector enters an infinite OAuth loop by repeatedly requesting new authorization codes instead of using the JWT token it successfully receives. This behavior prevents the client from completing the OAuth flow and accessing the MCP server.

Steps to reproduce the behavior:
Open MCP Tool Inspector and attempt to connect to an MCP server that requires OAuth authentication.
Follow the OAuth flow to authorize the client:
MCP Tool Inspector requests an authorization code from /api/oauth/authorize.
The server redirects to the callback URL with the authorization code.
MCP Tool Inspector exchanges the authorization code for a JWT token at /api/oauth/token.
Observe that instead of using the JWT token, MCP Tool Inspector requests a new authorization code, entering an infinite loop.

After receiving a JWT token from the /api/oauth/token endpoint, MCP Tool Inspector should use this token to authenticate requests to the MCP server, completing the OAuth flow successfully.

Redirecting to: http://localhost:6274/oauth/callback?code=ac_...
OAuth Token Exchange Request: { grant_type: 'authorization_code', ... }
Generated JWT token: eyJhbGciOiJIUzI1NiIs...
GET /api/oauth/authorize?response_type=code&client_id=...

The issue is specific to MCP Tool Inspector. Other clients like Cursor and Claude Desktop complete the OAuth flow successfully.
Enhanced logging indicates that MCP Tool Inspector receives the JWT token but does not use it, instead requesting a new authorization code.
The problem appears to be a client-side implementation bug in MCP Tool Inspector's handling of the OAuth flow.

[williamoleria]

I ran into the same issue. use the MCP Inspector and try the "connect" button, it ran into infinite oauth loop.

If use the oauth setting, clear the oauth state and run the oauth guided flow step by step, after it is successfully completed with an oauth token, clicking on "connect" button then it establishes the connection successfully.

[gcaprio]

I've now found this on Claude Code when using remote MCP servers. When running the MCP server locally, the OAuth loop works fine.

[jkhaui]

Finally stumbled upon this, thanks for creating this issue - I thought I was going crazy.

I've been debugging this endless redirect behaviour all day (exactly as described), thinking there was some messed up logic in my token exchange flow or something, despite also successfully logging a JWT.

[caravin]

I also faced this issue today. From what I can see in the logs, the UI is getting the token after successful oauth flow, then when it makes the call to proxyserver, it is throwing an error that the token is expired prompting the UI to refresh the token. However, as of now, there is no "Refresh token" implementation. Instead it is simply redoing the oauth flow making it into an infinite loop.
#665

If we can somehow fix the token expiry issue, this should get resolved.

[btiernay]

I hit this a lot too. It can happen any time a 401 is returned from the MCP server that is not self-recoverable (like invalid scopes requested, or etc). In my case,this is usually a misconfiguration on my part for the AS or the MCP server.

[Avyakta000]

I’m facing the same issue - after a successful OAuth flow the Inspector receives a JWT but re-enters the auth flow in an infinite loop. It only works correctly when I go through the Quick OAuth Flow.

[cliffhall]

Hi @Grebyn35!

Can you try again with the latest version of the Inspector 0.16.5, and let us know what happens? If possible, could you add screenshots of the inspector panel network tab, and possibly a short video pointing out the issue. Also, what can you tell us about the server you're attempting to connect to? Can you reproduce it with a minimal server implementation that we can test against?

[olaservo]

This issue hasn't had any activity in a while and there have been a few updates related to this part of Inspector since it was opened. I'm going to close this for now, but please re-open if there is still an issue in the latest version and you can share the info that Cliff mentioned, to help track down what is happening here.

[werkamsus]

Still happens for me. With ❯@modelcontextprotocol/inspector@0.16.7 auth works, but with @latest I get the infinite redirect too.