Inspector Version
v0.21.2
Describe the bug
The MCP Inspector rejects valid OAuth flows when the resource value returned by the MCP server’s OAuth Protected Resource Metadata does not match the MCP endpoint URL (or its origin).
Inspector fails the OAuth flow with the following error:
Failed to start OAuth flow: Protected resource urn:valid:urn:identifier does not match expected http://localhost:8000/mcp/ (or origin)
This behaviour incorrectly assumes that the OAuth resource identifier must equal the MCP endpoint URL. This is not required by the MCP specification or OAuth standards and prevents valid use cases such as URN-based resource identifiers.
This means that if debugging locally, and the server is running on localhost, the "resource" will always be expected to be "http://localhost:8000/mcp" when requesting a token. If the application spins up a dynamic url in your "dev" environment, you will constantly need to update your application registration to match the resource.
To Reproduce
Steps to reproduce the behavior:
- Configure an MCP server that exposes OAuth Protected Resource Metadata at
/.well-known/oauth-protected-resource with a valid non-URL resource identifier, e.g.:
{
"resource": "urn:valid:urn:identifier",
"authorization_servers": ["https://auth.example.com"]
}
- Add the clientID, redirect url and scopes in the mcp inspecter
- Try and connect via the oauth flow
- Observer the error
Expected behavior
MCP Inspector should accept and use the resource value exactly as provided by the MCP server’s OAuth Protected Resource Metadata.
Specifically:
Inspector should not require the resource identifier to match the MCP endpoint URL or its origin.
Valid URIs such as URNs must be accepted as resource identifiers.
The client should pass the server-defined resource value to the authorisation server without enforcing URL equivalence.
Screenshots
Environment (please complete the following information):
- OS: macOS
- Browser: chroms
Additional context
This behaviour conflicts with both the MCP Authorisation specification and OAuth standards:
Requiring resource to match the MCP endpoint URL breaks:
- URN-based resource identifiers
- logical or virtual MCP resources
- correct audience (aud) selection by the authorisation server
Version Consideration
This issue specifically concerns MCP spec compliance and should be addressed in V1.
Inspector Version
v0.21.2
Describe the bug
The MCP Inspector rejects valid OAuth flows when the resource value returned by the MCP server’s OAuth Protected Resource Metadata does not match the MCP endpoint URL (or its origin).
Inspector fails the OAuth flow with the following error:
This behaviour incorrectly assumes that the OAuth resource identifier must equal the MCP endpoint URL. This is not required by the MCP specification or OAuth standards and prevents valid use cases such as URN-based resource identifiers.
This means that if debugging locally, and the server is running on localhost, the "resource" will always be expected to be "http://localhost:8000/mcp" when requesting a token. If the application spins up a dynamic url in your "dev" environment, you will constantly need to update your application registration to match the resource.
To Reproduce
Steps to reproduce the behavior:
/.well-known/oauth-protected-resource with a valid non-URL resource identifier, e.g.:
{ "resource": "urn:valid:urn:identifier", "authorization_servers": ["https://auth.example.com"] }Expected behavior
MCP Inspector should accept and use the resource value exactly as provided by the MCP server’s OAuth Protected Resource Metadata.
Specifically:
Inspector should not require the resource identifier to match the MCP endpoint URL or its origin.
Valid URIs such as URNs must be accepted as resource identifiers.
The client should pass the server-defined resource value to the authorisation server without enforcing URL equivalence.
Screenshots
Environment (please complete the following information):
Additional context
This behaviour conflicts with both the MCP Authorisation specification and OAuth standards:
https://modelcontextprotocol.io/specification/draft/basic/authorization
https://www.rfc-editor.org/rfc/rfc9728
https://www.rfc-editor.org/rfc/rfc8707
Requiring resource to match the MCP endpoint URL breaks:
Version Consideration
This issue specifically concerns MCP spec compliance and should be addressed in V1.