From ee5e3d2299e40e245e35c294a3d41053ce741b0d Mon Sep 17 00:00:00 2001
From: MumuTW <clothl47364@gmail.com>
Date: Wed, 18 Mar 2026 16:57:23 +0000
Subject: [PATCH] fix: remove Content-Type header from GET requests in OAuth
 metadata discovery

GET requests to /.well-known/oauth-authorization-server should not
include a Content-Type header. Some authorization servers (e.g. Keycloak)
respond with 415 Unsupported Media Type when a GET request carries
Content-Type: application/json, breaking OAuth metadata discovery.

Move Content-Type assignment inside the custom fetch wrapper so it is
only applied when the request carries a body (i.e. POST), leaving GET
requests header-clean.

Fixes #1143
---
 client/src/lib/hooks/useConnection.ts | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/client/src/lib/hooks/useConnection.ts b/client/src/lib/hooks/useConnection.ts
index e14d1037f..c3734f6a3 100644
--- a/client/src/lib/hooks/useConnection.ts
+++ b/client/src/lib/hooks/useConnection.ts
@@ -582,16 +582,22 @@ export function useConnection({
         switch (transportType) {
           case "sse":
             requestHeaders["Accept"] = "text/event-stream";
-            requestHeaders["content-type"] = "application/json";
             transportOptions = {
               authProvider: serverAuthProvider,
               fetch: async (
                 url: string | URL | globalThis.Request,
                 init?: RequestInit,
               ) => {
+                const mergedHeaders = { ...requestHeaders };
+                // Only set Content-Type on requests with a body (e.g. POST).
+                // GET requests (such as OAuth metadata discovery) must not
+                // include Content-Type, as some servers reject it with 415.
+                if (init?.body) {
+                  mergedHeaders["content-type"] = "application/json";
+                }
                 const response = await fetch(url, {
                   ...init,
-                  headers: requestHeaders,
+                  headers: mergedHeaders,
                 });
 
                 // Capture protocol-related headers from response
@@ -611,11 +617,16 @@ export function useConnection({
                 url: string | URL | globalThis.Request,
                 init?: RequestInit,
               ) => {
-                requestHeaders["Accept"] =
-                  "text/event-stream, application/json";
-                requestHeaders["Content-Type"] = "application/json";
+                const mergedHeaders = { ...requestHeaders };
+                mergedHeaders["Accept"] = "text/event-stream, application/json";
+                // Only set Content-Type on requests with a body (e.g. POST).
+                // GET requests (such as OAuth metadata discovery) must not
+                // include Content-Type, as some servers reject it with 415.
+                if (init?.body) {
+                  mergedHeaders["Content-Type"] = "application/json";
+                }
                 const response = await fetch(url, {
-                  headers: requestHeaders,
+                  headers: mergedHeaders,
                   ...init,
                 });