Skip to content

Client Secret Bug: Confidential OAuth Clients Fail Due to Missing client_id Parameter #909

New issue
New issue
Open
Open
Client Secret Bug: Confidential OAuth Clients Fail Due to Missing client_id Parameter#909
Labels
authIssues and PRs related to authorizationbugSomething isn't workingneeds-triageNeeds to be triaged by maintainers
@jennsun

Description

@jennsun
jennsun
opened on Nov 8, 2025

Inspector Version

MCP Inspector v0.17.2

Describe the bug
A clear and concise description of what the bug is.

MCP Inspector fails to connect to OAuth 2.0 token endpoints when using confidential clients (clients with a client_id and client_secret). The issue occurs because MCP Inspector defaults to token_endpoint_auth_method=none in client/src/lib/auth.ts but doesn't send the required client_id parameter in the request body, causing the token request to fail.

current auth.ts:

 get clientMetadata(): OAuthClientMetadata {
    return {
      redirect_uris: this.redirect_uris,
      token_endpoint_auth_method: "none",
      grant_types: ["authorization_code", "refresh_token"],
      response_types: ["code"],
      client_name: "MCP Inspector",
      client_uri: "https://github.com/modelcontextprotocol/inspector",
      scope: this.scope ?? "",
    };
  }

To Reproduce
Steps to reproduce the behavior:

  1. Try to connect to an MCP server that has the follow supported token endpoint auth types. For example, its /oauth-authorization-server endpoint would have something like:
"token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post",
    "none"
  1. Walk through the OAuth Flow Progress
  2. Hit "Failed to Fetch" error during Token Request step
Image

If you take the same request and append a a "client_id" request parameter, you will retrieve a valid access token back

Current failed behavior where token endpoint gives:

{"error":"invalid_request","request_id":"...","error_description":"Invalid authorization code"}

appending client_id parameter gives something like:

{"access_token":"eyJ...","scope":"mcp.functions","token_type":"Bearer","expires_in":3600}

Expected behavior
A clear and concise description of what you expected to happen.

Authenticated successfully

Screenshots
If applicable, add screenshots to help explain your problem.

Environment (please complete the following information):

  • MCP Inspector v0.17.2
  • OS: [e.g. iOS] MAC
  • Browser [e.g. chrome, safari] CHROME

Additional context
Add any other context about the problem here.

Previously added client secret support in #859

Metadata

Metadata

Assignees

No one assigned

    Labels

    authIssues and PRs related to authorizationbugSomething isn't workingneeds-triageNeeds to be triaged by maintainers

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions