Add Auth debugger tab

[pcarleton]

Motivation and Context

Adds a step-by-step auth debugger, going through the different client steps for a server.

How Has This Been Tested?

I've tested this locally against the python example auth SSE server:
modelcontextprotocol/python-sdk#610

I also tested against:

• Asana: https://mcp.asana.com/sse
• Sentry: https://mcp.sentry.dev/sse
• Jira: https://mcp.atlassian.com/v1/sse (fails on redirect b/c inspector isn't allowlisted)

Breaking Changes

none

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

[QuantGeekDev]

Hey @pcarleton , I'm also working on something similar. Want to sync on discord? Maybe I can help with something. I'm using Postman since the inspector can't handle it but I was interested in what specific oauth flow you're following. Have you noticed that the specification was updated in draft a few days ago?

[pcarleton]

Hi @QuantGeekDev which discord?

Yes, with the new draft, we'll need to add a few more metadata endpoints to check, but that should be okay to just follow what the Typescript SDK does. I'm going to try to land this on the 2025-03-25 spec and update it from there.

[QuantGeekDev]

@pcarleton The modelcontextprotocol one: https://discord.gg/3uqNS3KRP2
I've got the same username as here - let's collab! How are you testing these? You have your oauth server set up locally?

[pcarleton]

it's testable against the python example server here:
modelcontextprotocol/python-sdk#610

Also can test against some of the public servers e.g.

• https://mcp.atlassian.com/v1/sse
• https://mcp.intercom.com/sse
• https://mcp.asana.com/sse
• https://mcp.squareup.com/sse
• https://mcp.sentry.dev/sse
• https://mcp.linear.app/sse

[ihrpr]

LGTM

• Breaking down into components would be good before merging
• maybe make it explicit that only sse will work for now
• add small banner to say which spec auth is supporing

[ihrpr]

something for the follow up (for myself) - we need to support shttp as well

[pcarleton]

true, I think it should be pretty much the same because this all happens before any MCP protocol initialization.

I've been testing this on the python simple auth server, do we have a streamable http auth example? can modify the existing one to add it if not

[ihrpr]

yeah, it should be something like this: modelcontextprotocol/python-sdk#695 will test and publish the PR

[pcarleton]

great, this seems to work.

One thing I didn't fully go through and update is the state parameter in App.tsx, it's still called sseUrl even though it can be either sse or streambleHttp. won't tackle that here, but wanted to mention while it's fresh.

[ihrpr]

pattern matching would be nice (something like a state machine) to have here instead of if-else

[pcarleton]

👍 I pulled this out into a state machine... the if/else was getting unwieldy, and also made retrying steps annoying

[ihrpr]

validateOAuthMetadata and validateClientInformation can be extracted:

• avoid recreation on every render
• clean up proceedToNextStep

[pcarleton]

👍 addressed w/ state machine

[ihrpr]

maybe break it down into components? Like OAuthStepItem

[pcarleton]

yea good call, I broke out the Progress flow component, and a smaller component for each step lmkwyt

[olaservo]

Hi Paul, I started testing with this today to see if it would play nice with my E2E Playwright testing branch, and noticed that the branch is quite a few commits behind main. Since I think there were a few auth related commits since you added this, could you pull the latest from main to verify its still working as expected? (And I'm doing the same with my own testing.)

[pcarleton]

ty @olaservo, I was missing the scope auth change (forgot I had hacked it in locally). I've updated the typescript sdk import so that the types for the scope parameter work properly now.

A few things still to go:

• support the new auth metadata endpoint (will be another upstream typescript-sdk change)
• show which spec version / auth metadata endpoint we used

[ihrpr]

LGTM!

Should we do follow ups as part of a separate PR and merge this one?

[pcarleton]

yea this is getting pretty large, will fix w/ follow-ups.

[leblancfg]

@pcarleton question for you, I feel like I'm missing something: why the /oauth/callback/debug URL?

That's not standard AFAICT, why not just reuse /oauth/callback?

[leblancfg]

Also the authorization URL generated by the debugger isn't the same as the "connect" button. It includes the scopes_supported whereas the main "connect" button doesn't.

I feel like the Connect button also should do that though? Spec isn't exactly prescriptive but the inspector is meant for debugging. 🤔 edit: I'll open a PR actually.

[pcarleton]

I feel like I'm missing something: why the /oauth/callback/debug URL?

@leblancfg this was to allow for a different handler when debugging vs. when doing the normal "connect" flow. When you do the step-by-step flow, we show the token and suggest you copy-paste it. We don't want to do that in the normal flow.