OAuth Flow Metadata Discovery & DCR inconsistent behavior per call for HTTP header allow origin

[symdeb]

Describe the bug

To set the response headers on a hosted website (with PHP) , setting the header
Header set Access-Control-Allow-Origin "*" result in that Metadata Discovery failure.
This same header MUST be set for /register call to pass (when not set it fails) when it send
OPTIONS to the site. This is a catch22. It's not possible to set different security headers per API call.

To Reproduce

A. On a local machine run the inspector
B. Install an OAUTH2 server that also supports DCR.
C. Run the inspector Oauth2 cycle (keep client ID empty otherwise inspector will not call the register endpoint)

1. Add to .htaccess on the server (website) .htaccess
   Header set Access-Control-Allow-Origin "*"
   Inspector Metadiscovery fails with
   Error: Failed to discover OAuth metadata

2. Remove the header.
   Inspector Metadiscovery passes, shows
   "OAuth Metadata Sources"

3. Going next, client registration to API endpoint /register fails with
   Error: Failed to fetch

4. Add to .htaccess on the website
   Header set Access-Control-Allow-Origin "*"
   Repeat next step for client registration
   call /register
   register passes

5. From here next steps continue normally (login screen on the authentication site...etc..)

NO OTHER CHANGES THEN ADD/REMOVE THE HEADER IN .HTACCESS WERE MADE

It seems Inconsistent behavior/expectation of inspector for expected header per API call
While the call to /..well-known/ discovering the authorization server does not accept this header, the PREFLIGHT OPTIONS call to /register call requires it.

Expected behavior
consistent behavior of inspector for expected headers per API call.
suggest remove the requirement for inspector to check on the Access-Control-Allow-Origin header, it may cause multiple issues with different servers.

Logs
N/A

Additional context
[1] The MCP server is hosted on hostgator.
[2] For Header set Access-Control-Allow-Origin "*" only one option is allowed. Since the caller can be from any site , "*" is used here.
[3] the PHP set header () function has no effect on returned headers, only the one define in .htaccess or in server's configuration files works. These are STATIC values and CANNOT be dynamically changed based on the calling IP/hostm url or call (OPTION, GET or POST).
[3] Why does a returned Header set Access-Control-Allow-Origin "*" fail for the call to .welknown url ?

[symdeb]

Could someone confirm this issue is valid ? It is quite annoying to have to change the .htaccess file for the auth server discovery and register call each time manually on the server. Even setting the Origin header to http://localhost:6274/ on the public server sill results in a metadata error.

[olaservo]

Thanks @symdeb , to diagnose this further it would help to have:

1. Could you get browser network logs from the Network tab when you reproduce the issue, and share screenshots or HAR file showing:

   • The failing metadata discovery request (with headers)
   • The working /register request (with headers)
   • Any OPTIONS preflight requests

2. You mentioned it's PHP on HostGator, but which OAuth implementation are you using?

3. Try setting all CORS headers, not just Origin? eg:

   Header set Access-Control-Allow-Origin "http://localhost:6274"
   Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
   Header set Access-Control-Allow-Headers "Content-Type, Authorization"

[symdeb]

Will get the logs but for the moment

1. ALL the request are 100% exactly the same for success and failure, the ONLY different is removing/adding the Header set Access-Control-Allow-Origin line in .htaccess on the host

2. Own PHP based OAUTH2 implementation that works fine with a multiple other services in the past 10 years or so (Amazon, Google etc..)

3. The case was already isolated to only the Origin header as the differentatior. The other two are always set

4. Question: Has Inspector been tested with other shared hosting solutions ? if not, perhaps give it a try ?

5.Question: what does inspector expect ? Does it expect the same headers for the discovery, register and other calls ?

[symdeb]

Here are the logs at the server, Once again with/without origin refers here to adding the line
Access-Control-Allow-Origin "*" in htaccess or not. It's the only difference.
MCP inspector 0.16.8.
Note: The IP address and host name are masked in the file.

oauth.zip

[symdeb]

Progress ? Anyone could replicate this ?

[symdeb]

Moved on to PHP8,. PHP8 seems to have changed the whole CORS implementaiton from .htaccess to PHP code to retrrn header. this is a very welcome change to return header per type of call and it now works as expected. Add this any response:

		header("Access-Control-Allow-Origin: *");
		header("Access-Control-Allow-Headers: *");