Duplicate redirect URIs generated by DebugInspectorOAuthClientProvider cause DCR failure

[anatoly314]

Inspector Version
v0.16.8

Environment

• OS: macOS
• Browser: Chrome

Describe the bug
When using DebugInspectorOAuthClientProvider, the clientMetadata that gets sent during Dynamic Client Registration (DCR) contains duplicate redirect URIs. This causes the authorization server (Clerk in my case) to reject the registration with an error:

duplicate redirect URI

To Reproduce

1. Use DebugInspectorOAuthClientProvider to perform DCR at Clerk (or another IdP that validates redirect URIs strictly).
2. Inspect the registration payload being sent.
3. Notice the redirect_uris array has the same value twice:

{
  "redirect_uris": [
    "http://localhost:6274/oauth/callback/debug",
    "http://localhost:6274/oauth/callback/debug"
  ],
  "token_endpoint_auth_method": "none",
  "grant_types": ["authorization_code","refresh_token"],
  "response_types": ["code"],
  "client_name": "MCP Inspector",
  "client_uri": "https://github.com/modelcontextprotocol/inspector",
  "scope": "openid profile email"
}

Expected behavior
The client metadata should register both the normal and debug redirect URIs:

{
  "redirect_uris": [
    "http://localhost:6274/oauth/callback",
    "http://localhost:6274/oauth/callback/debug"
  ],
  ...
}

Root cause
DebugInspectorOAuthClientProvider overrides redirectUrl to return debugRedirectUrl. Since the base clientMetadata getter builds redirect_uris: [this.redirectUrl, this.debugRedirectUrl], in the subclass this evaluates to two identical values.

Workaround
I was able to fix the issue locally by overriding clientMetadata in the debug subclass so it explicitly uses super.redirectUrl along with this.debugRedirectUrl, e.g.:

get clientMetadata(): OAuthClientMetadata {
  return {
    redirect_uris: [super.redirectUrl, this.debugRedirectUrl],
    token_endpoint_auth_method: "none",
    grant_types: ["authorization_code", "refresh_token"],
    response_types: ["code"],
    client_name: "MCP Inspector (Debug)",
    client_uri: "https://github.com/modelcontextprotocol/inspector",
    scope: this.scope ?? "",
  };
}

This avoids duplicates and allows DCR to succeed.

Additional context
This feels like a workaround — I’d like to get community feedback and maintainers’ input on whether the fix should be to override clientMetadata, or to restructure how the base and debug providers handle redirect URIs.

[RileyNorton]

This is also causing issues for my use of the MCP Inspector.

Because of the duplicate values, when the MCP Inspector goes to refresh the tokens (which it does on connect with unexpired tokens for some reason), the auth code flow fails because my authorization server realizes that the non-debug redirect_uri was not specified during DCR and rejects the /authorize call with a 400.

[RileyNorton]

This is also causing issues for my use of the MCP Inspector.

Because of the duplicate values, when the MCP Inspector goes to refresh the tokens (which it does on connect with unexpired tokens for some reason), the auth code flow fails because my authorization server realizes that the non-debug redirect_uri was not specified during DCR and rejects the /authorize call with a 400.

I've verified that this isn't an issue with v0.16.7.

Whew and I thought I broke something in my server again :D

You can use

pnpx @modelcontextprotocol/inspector@0.16.7

[anatoly314]

Unfortunately it isn't the single bug in 0.16.8, here another one: #826

[keurcien]

Same error raised with Auth0:

{
    "statusCode": 400,
    "error": "Bad Request",
    "message": "Payload validation error: 'Array items are not unique (indexes 0 and 1)' on property redirect_uris (A set of URLs that are valid to call back from Auth0 when authenticating users).",
    "errorCode": "invalid_body"
}

[cliffhall]

@anatoly314 Fix incoming. Thanks for looking into the actual problem and showing your workaround. It helped a lot.

[cliffhall]

Hey folks, the latest Inspector release contains the fix for this. Please try again with npx @modelcontextprotocol/inspector@latest or npx @modelcontextprotocol/inspector@0.17.1