Inspector Version
0.21.1
Describe the bug
MCP inspector makes requests to the oauth token endpoint with an invalid content-type application/json, application/x-www-form-urlencoded for the refresh_token grant type.
When the MCP inspector initially authenticates, it makes the first request to the token endpoint with the "authorization_code" grant type, and it correctly sets content-type: application/x-www-form-urlencoded. When the initial access token expires, and it requests a new one from the token endpoint with the refresh_token endpoint, it incorrectly sets content-type: application/json, application/x-www-form-urlencoded.
Here are screenshots from chrome devtools, the first is the initial token request with the "authorization_code" grant type, which sets the correct content-type. And the second is the "refresh_token" request, which sets the invalid content-type.
Initial token request with "authorization_code" grant type:
And the subsequent request with "refresh_token" grant type:
To Reproduce
- Connect to an MCP server and go through the authorization flow. Observe network tools, and note that the initial request to the oauth token endpoint sets
content-type: application/x-www-form-urlencoded
- Wait for the initial access token to expire, and note that the subsequent request to the token endpoint sets
content-type: application/json, application/x-www-form-urlencoded
Expected behavior
Requests to the token endpoint always set content-type: application/x-www-form-urlencoded. The OAuth spec is clear that requests to the token endpoint must use this:
https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-15.html#name-token-endpoint-request
Screenshots
Initial token request with "authorization_code" grant type:
Subsequent token request with "refresh_token" grant type:
Environment (please complete the following information):
Additional context
N/A
Version Consideration
Inspector V2 is under development to address architectural and UX improvements. During this time, V1 contributions should focus on bug fixes and MCP spec compliance. See CONTRIBUTING.md for more details.
Inspector Version
0.21.1
Describe the bug
MCP inspector makes requests to the oauth token endpoint with an invalid content-type
application/json, application/x-www-form-urlencodedfor therefresh_tokengrant type.When the MCP inspector initially authenticates, it makes the first request to the token endpoint with the "authorization_code" grant type, and it correctly sets
content-type: application/x-www-form-urlencoded. When the initial access token expires, and it requests a new one from the token endpoint with therefresh_tokenendpoint, it incorrectly setscontent-type: application/json, application/x-www-form-urlencoded.Here are screenshots from chrome devtools, the first is the initial token request with the "authorization_code" grant type, which sets the correct
content-type. And the second is the "refresh_token" request, which sets the invalidcontent-type.Initial token request with "authorization_code" grant type:
And the subsequent request with "refresh_token" grant type:
To Reproduce
content-type: application/x-www-form-urlencodedcontent-type: application/json, application/x-www-form-urlencodedExpected behavior
Requests to the token endpoint always set
content-type: application/x-www-form-urlencoded. The OAuth spec is clear that requests to the token endpoint must use this:https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-15.html#name-token-endpoint-request
Screenshots
Initial token request with "authorization_code" grant type:
Subsequent token request with "refresh_token" grant type:
Environment (please complete the following information):
Additional context
N/A
Version Consideration
Inspector V2 is under development to address architectural and UX improvements. During this time, V1 contributions should focus on bug fixes and MCP spec compliance. See CONTRIBUTING.md for more details.