Skip to content

fix: store resource in session storage #632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: store resource in session storage #632

wants to merge 1 commit into from
+41 −1

Conversation

jneums
Copy link

@jneums jneums commented Jul 21, 2025

Fixes a bug where the resource URL was lost during the OAuth redirect, causing a resource parameter mismatch error during the token exchange.

Motivation and Context

During the end-to-end OAuth flow in the Inspector's debug UI, the final token exchange step was failing with a resource parameter mismatch error.

The root cause was that the resource URL, determined during the initial metadata discovery step, was only being stored in the component's volatile in-memory state. When the user is redirected to the authorization server and then back to the Inspector, the page reloads, wiping out this in-memory state.

As a result, the final /token request was being sent with resource=undefined, which the authorization server correctly rejected. This change fixes the bug by ensuring the resource URL is persisted across the redirect.

How Has This Been Tested?

This has been tested by running the full end-to-end OAuth flow within the MCP Inspector's debug UI against a live resource server.

  • Scenario 1 (Failure): Before the fix, the flow would consistently fail at the final "Token Request" step with the resource parameter mismatch error.
  • Scenario 2 (Success): After implementing the fix, the flow now completes successfully. The resource URL is correctly retrieved from sessionStorage and included in the /token request, and valid tokens are received.

Breaking Changes

None. This is a bug fix internal to the Inspector's state management and does not alter any public APIs or user-facing configurations.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

The fix follows the existing pattern for persisting OAuth state in the DebugInspectorOAuthClientProvider.

  1. A RESOURCE_URL key was added to constants.ts.
  2. saveResource and getResource methods were added to the DebugInspectorOAuthClientProvider, using sessionStorage as the persistence layer.
  3. The OAuth state machine was updated to call saveResource after discovery and getResource before initiating the token exchange.

This ensures the resource URL reliably survives the page reload inherent in the OAuth redirect flow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jneums