fix: store resource in session storage

[jneums]

Fixes a bug where the resource URL was lost during the OAuth redirect, causing a resource parameter mismatch error during the token exchange.

Motivation and Context

During the end-to-end OAuth flow in the Inspector's debug UI, the final token exchange step was failing with a resource parameter mismatch error.

The root cause was that the resource URL, determined during the initial metadata discovery step, was only being stored in the component's volatile in-memory state. When the user is redirected to the authorization server and then back to the Inspector, the page reloads, wiping out this in-memory state.

As a result, the final /token request was being sent with resource=undefined, which the authorization server correctly rejected. This change fixes the bug by ensuring the resource URL is persisted across the redirect.

How Has This Been Tested?

This has been tested by running the full end-to-end OAuth flow within the MCP Inspector's debug UI against a live resource server.

• Scenario 1 (Failure): Before the fix, the flow would consistently fail at the final "Token Request" step with the resource parameter mismatch error.
• Scenario 2 (Success): After implementing the fix, the flow now completes successfully. The resource URL is correctly retrieved from sessionStorage and included in the /token request, and valid tokens are received.

Breaking Changes

None. This is a bug fix internal to the Inspector's state management and does not alter any public APIs or user-facing configurations.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

The fix follows the existing pattern for persisting OAuth state in the DebugInspectorOAuthClientProvider.

1. A RESOURCE_URL key was added to constants.ts.
2. saveResource and getResource methods were added to the DebugInspectorOAuthClientProvider, using sessionStorage as the persistence layer.
3. The OAuth state machine was updated to call saveResource after discovery and getResource before initiating the token exchange.

This ensures the resource URL reliably survives the page reload inherent in the OAuth redirect flow.

[olaservo]

Hi @jneums , thanks for the PR. Could you resolve the formatting issue? https://github.com/modelcontextprotocol/inspector/actions/runs/16794907055/job/47563830185?pr=632
Thanks!

[jneums]

@olaservo I went ahead and ran prettier and it should be good now.

[olaservo]

Looks good to me, thanks!

[olaservo]

(I think this is ready to merge, just getting another pair of eyes on it since I saw a related conflicting PR come through)

[halter73]

I still think we should merge #714 to keep the AuthDebuggerState.resource a URL so it matches the type definition regardless of whether we keep this change.

inspector/client/src/lib/auth-types.ts

Line 33 in 16edf53

resource: URL | null;

If we keep restoring AuthDebuggerState.resource as a string, that's just asking for more bugs down the road when people reasonably expect the state to match the type definition.

I don't know what makes this better than #714 if we end up having to merge #714 anyway, but I'm happy to approve anything that fixes the resource=undefined issue, and this PR has been open much longer.