Authentication Header not coming through with TypeScript SDK 1.18.2 #829
Description
Inspector Version
0.16.8 (latest)
Describe the bug
Attempt to connect to an MCP server which uses @modelcontextprotocol/[email protected] and reports 401 upon unauthorized connection (like this one).
This triggers the OAuth flow as expected, however, the Inspector doesn't appear to be sending the auth token in the authorization header, leading to an infinite loop:
My server logs:
{ authorization: null }
(x6)
{ authorization: null }
(x7)
{ authorization: 'Bearer' }
OAuth error response: 401 invalid_token - Missing or invalid access token
{ authorization: null }
{ authorization: null }
(x2)
{ authorization: null }
(x3)
{ authorization: null }
(x4)
The inspector logs:
New StreamableHttp connection request
Query parameters: {"url":"http://localhost:8877/mcp","transportType":"streamable-http"}
Created StreamableHttp client transport
Client <-> Proxy sessionId: cbf4e713-924d-4e49-9076-858c553d47d5
Error from MCP server: Error: Error POSTing to endpoint (HTTP 401): {"error":"invalid_token","error_description":"Missing or invalid access token"}
at StreamableHTTPClientTransport.send (file:///Users/kentcdodds/code/epic-web/epic-me-mcp/node_modules/@modelcontextprotocol/sdk/dist/esm/client/streamableHttp.js:284:23)
at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
New StreamableHttp connection request
Query parameters: {"url":"http://localhost:8877/mcp","transportType":"streamable-http"}
Created StreamableHttp client transport
Client <-> Proxy sessionId: 61de52e2-359a-4178-9081-c0ed74d79f1c
Error from MCP server: Error: Error POSTing to endpoint (HTTP 401): {"error":"invalid_token","error_description":"Missing or invalid access token"}
at StreamableHTTPClientTransport.send (file:///Users/kentcdodds/code/epic-web/epic-me-mcp/node_modules/@modelcontextprotocol/sdk/dist/esm/client/streamableHttp.js:284:23)
at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
New StreamableHttp connection request
Query parameters: {"url":"http://localhost:8877/mcp","transportType":"streamable-http"}
Created StreamableHttp client transport
Client <-> Proxy sessionId: de6594fe-e171-4841-9ede-2bcbba107722
Error from MCP server: Error: Error POSTing to endpoint (HTTP 401): {"error":"invalid_token","error_description":"Missing or invalid access token"}
at StreamableHTTPClientTransport.send (file:///Users/kentcdodds/code/epic-web/epic-me-mcp/node_modules/@modelcontextprotocol/sdk/dist/esm/client/streamableHttp.js:284:23)
at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
To Reproduce
Steps to reproduce the behavior:
git clone https://github.com/epicweb-dev/epic-me-mcp.git
cd epic-me-mcp
git checkout f64a979cb5ffbbf4554d4399e045da6aa540034c
npm install
npm run dev
In another tab:
npm run inspect
- Click Connect
- The OAuth flow will complete (using just-in-time auth so you won't see it pop up... I have reproduced the same issue in another server that uses more traditional auth so I know this isn't the issue)
- The app doesn't show you there's anything wrong, but behind the scenes it's DOS-ing the server 😅
Expected behavior
Send the authorization header it retrieved from the OAuth flow.
The inspector should probably detect when there's an infinite loop like this and prevent it too?
Environment (please complete the following information):
- OS: macOS
- Browser Brave
Additional context
I haven't had time to dig any deeper into this. Seems odd to me. It's possible this is an issue in the SDK, but I've verified things are working as expected with other clients like nanobot.ai so I think there's an issue with the Inspector.