OAuth Dynamic Client Registration fails with strict providers due to client_uri mismatch

[anatoly314]

Problem Description

MCP Inspector's OAuth Dynamic Client Registration fails with Clerk and potentially other strict OAuth providers due to a client_uri origin mismatch error.

Current Behavior

• MCP Inspector hardcodes client_uri: "https://github.com/modelcontextprotocol/inspector" in the OAuth client metadata
• The redirect_uri uses http://localhost:6274/oauth/callback/debug (or similar local origin)
• Strict OAuth providers like Clerk reject this configuration with error: "client_uri must have the same origin as a redirect_uri"

Expected Behavior

MCP Inspector should work with strict OAuth providers without requiring source code modifications.

Root Cause

The issue occurs in /client/src/lib/auth.ts where the InspectorOAuthClientProvider class hardcodes:

get clientMetadata(): OAuthClientMetadata {
  return {
    redirect_uris: [this.redirectUrl],
    token_endpoint_auth_method: "none",
    grant_types: ["authorization_code", "refresh_token"],
    response_types: ["code"],
    client_name: "MCP Inspector",
    client_uri: "https://github.com/modelcontextprotocol/inspector",  // <-- Hardcoded
  };
}

While redirect_uris uses the current origin (window.location.origin + "/oauth/callback"), the client_uri points to GitHub, causing the mismatch.

Impact

Users cannot use MCP Inspector with OAuth providers that enforce strict validation of client_uri matching redirect_uri origins, including:

• Clerk
• Potentially other enterprise OAuth providers with strict security requirements

Proposed Solution

Make client_uri configurable with smart defaults:

1. Default to current origin: Use window.location.origin by default (matches redirect_uri origin)
2. Allow configuration: Let users configure via settings/environment variables
3. Support omission: Allow omitting client_uri entirely (it's optional per OAuth 2.0 spec RFC 7591)

Implementation Approach

Add a new configuration option OAUTH_CLIENT_URI with these behaviors:

• "origin" (default) - Uses window.location.origin
• "" (empty) - Omits client_uri from metadata
• Custom URL - Uses the specified URL

This maintains backward compatibility while fixing the issue for strict OAuth providers.

Workaround

Current workaround requires manually editing the source code to change:

client_uri: "https://github.com/modelcontextprotocol/inspector"

to:

client_uri: window.location.origin

Related Information

• OAuth 2.0 Dynamic Client Registration spec (RFC 7591) marks client_uri as OPTIONAL
• The mismatch specifically affects the OAuth debugger flow at /oauth/callback/debug
• Regular OAuth flow may also be affected at /oauth/callback

Environment

• MCP Inspector version: 0.16.3
• Affected OAuth providers: Clerk, potentially others
• Browser: All browsers
• OS: All operating systems

[qchuchu]

Facing indeed the issue with Clerk. However I'm wondering how I did manage to make it work before - it doesn't seem that any changes have been done on this side recently. I'm wondering if Clerk became stricter recently ?