Skip to content

fix: store resource in session storage #632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

fix: store resource in session storage #632

wants to merge 7 commits into from
+35 −1

Conversation

jneums
Copy link

@jneums jneums commented Jul 21, 2025

Fixes a bug where the resource URL was lost during the OAuth redirect, causing a resource parameter mismatch error during the token exchange.

Motivation and Context

During the end-to-end OAuth flow in the Inspector's debug UI, the final token exchange step was failing with a resource parameter mismatch error.

The root cause was that the resource URL, determined during the initial metadata discovery step, was only being stored in the component's volatile in-memory state. When the user is redirected to the authorization server and then back to the Inspector, the page reloads, wiping out this in-memory state.

As a result, the final /token request was being sent with resource=undefined, which the authorization server correctly rejected. This change fixes the bug by ensuring the resource URL is persisted across the redirect.

How Has This Been Tested?

This has been tested by running the full end-to-end OAuth flow within the MCP Inspector's debug UI against a live resource server.

  • Scenario 1 (Failure): Before the fix, the flow would consistently fail at the final "Token Request" step with the resource parameter mismatch error.
  • Scenario 2 (Success): After implementing the fix, the flow now completes successfully. The resource URL is correctly retrieved from sessionStorage and included in the /token request, and valid tokens are received.

Breaking Changes

None. This is a bug fix internal to the Inspector's state management and does not alter any public APIs or user-facing configurations.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

The fix follows the existing pattern for persisting OAuth state in the DebugInspectorOAuthClientProvider.

  1. A RESOURCE_URL key was added to constants.ts.
  2. saveResource and getResource methods were added to the DebugInspectorOAuthClientProvider, using sessionStorage as the persistence layer.
  3. The OAuth state machine was updated to call saveResource after discovery and getResource before initiating the token exchange.

This ensures the resource URL reliably survives the page reload inherent in the OAuth redirect flow.

@olaservo olaservo added the auth Issues and PRs related to authentication and/or authorization label Aug 7, 2025
olaservo
olaservo requested changes Aug 7, 2025
View reviewed changes
Copy link
Member

@olaservo olaservo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jneums , thanks for the PR. Could you resolve the formatting issue? https://github.com/modelcontextprotocol/inspector/actions/runs/16794907055/job/47563830185?pr=632
Thanks!

@jneums
Copy link
Author

jneums commented Aug 8, 2025

@olaservo I went ahead and ran prettier and it should be good now.

@jneums jneums requested a review from olaservo August 8, 2025 03:06
olaservo
olaservo approved these changes Aug 14, 2025
View reviewed changes
Copy link
Member

@olaservo olaservo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, thanks!

@olaservo olaservo mentioned this pull request Aug 14, 2025
Open
@olaservo
Copy link
Member

(I think this is ready to merge, just getting another pair of eyes on it since I saw a related conflicting PR come through)

halter73
halter73 approved these changes Aug 14, 2025
View reviewed changes
Copy link

@halter73 halter73 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still think we should merge #714 to keep the AuthDebuggerState.resource a URL so it matches the type definition regardless of whether we keep this change.

inspector/client/src/lib/auth-types.ts

Line 33 in 16edf53

resource: URL | null;

If we keep restoring AuthDebuggerState.resource as a string, that's just asking for more bugs down the road when people reasonably expect the state to match the type definition.

I don't know what makes this better than #714 if we end up having to merge #714 anyway, but I'm happy to approve anything that fixes the resource=undefined issue, and this PR has been open much longer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@halter73 halter73 halter73 approved these changes

@olaservo olaservo olaservo approved these changes

Assignees
No one assigned
Labels
auth Issues and PRs related to authentication and/or authorization
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jneums @olaservo @halter73