Requests to oauth the token endpoint with refresh_token grant type set invalid content-type header #1160
Description
Inspector Version
0.21.1
Describe the bug
MCP inspector makes requests to the oauth token endpoint with an invalid content-type application/json, application/x-www-form-urlencoded for the refresh_token grant type.
When the MCP inspector initially authenticates, it makes the first request to the token endpoint with the "authorization_code" grant type, and it correctly sets content-type: application/x-www-form-urlencoded. When the initial access token expires, and it requests a new one from the token endpoint with the refresh_token endpoint, it incorrectly sets content-type: application/json, application/x-www-form-urlencoded.
Here are screenshots from chrome devtools, the first is the initial token request with the "authorization_code" grant type, which sets the correct content-type. And the second is the "refresh_token" request, which sets the invalid content-type.
Initial token request with "authorization_code" grant type:
And the subsequent request with "refresh_token" grant type:
To Reproduce
- Connect to an MCP server and go through the authorization flow. Observe network tools, and note that the initial request to the oauth token endpoint sets
content-type: application/x-www-form-urlencoded - Wait for the initial access token to expire, and note that the subsequent request to the token endpoint sets
content-type: application/json, application/x-www-form-urlencoded
Expected behavior
Requests to the token endpoint always set content-type: application/x-www-form-urlencoded. The OAuth spec is clear that requests to the token endpoint must use this:
https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-15.html#name-token-endpoint-request
Screenshots
Initial token request with "authorization_code" grant type:
Subsequent token request with "refresh_token" grant type:
Environment (please complete the following information):
- MacOS Tahoe
- Chrome
Additional context
N/A
Version Consideration
Inspector V2 is under development to address architectural and UX improvements. During this time, V1 contributions should focus on bug fixes and MCP spec compliance. See CONTRIBUTING.md for more details.