Not compatible with MCP Inspector #94
Description
Hello, and thanks for making this project! This seems to exactly fill the need I'm looking for. However, I'm having some issues getting it running. For now I'm just trying to walk through the OAuth steps in the MCP Inspector
Repro steps:
In one terminal, run this auth proxy via Docker
docker run --rm -p=8080:80 \
-e EXTERNAL_URL=http://localhost:8080 \
-e NO_AUTO_TLS=1 \
-e PASSWORD=your-secure-password \
-v ./data:/data \
ghcr.io/sigbit/mcp-auth-proxy:latest \
uvx mcp-server-time
In another, run MCP Inspector:
npx @modelcontextprotocol/inspector
Open MCP Inspector at the link it outputs in terminal, point it to http://localhost:8080, hit the "Open Auth Settings" button to go through OAuth. (Note: I had to disable my browser's cross origin restrictions to allow the requests to go through. In Safari on macOS that's Develop > Developer Settings... > Disable cross-origin restrictions. Not sure what it is on other browsers)
In the OAuth Flow Progress pane, click through the steps. Once the "Preparing Authorization" step outputs a URL, visit and observe the following error message:
No code found: invalid_state, The state is missing or does not have enough characters and is therefore considered too weak. Request parameter 'state' must be at least be 8 characters long to ensure sufficient entropy.
These are the logs I'm seeing on the map-auth-proxy side:
{"severity":"INFO","timestamp":"2025-11-08T13:44:45.817932888Z","caller":"mcp-proxy/main.go:487","message":"Starting server","listen":[":80"]}
{"severity":"INFO","timestamp":"2025-11-08T13:44:54.913666396Z","caller":"zap@v1.1.5/zap.go:125","message":"/.well-known/oauth-protected-resource","status":200,"method":"GET","path":"/.well-known/oauth-protected-resource","query":"","ip":"192.168.65.1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0.1 Safari/605.1.15","latency":0.000050433,"time":"2025-11-08T13:44:54Z"}
{"severity":"INFO","timestamp":"2025-11-08T13:44:54.927325951Z","caller":"zap@v1.1.5/zap.go:125","message":"/.well-known/oauth-authorization-server","status":200,"method":"GET","path":"/.well-known/oauth-authorization-server","query":"","ip":"192.168.65.1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0.1 Safari/605.1.15","latency":0.000683787,"time":"2025-11-08T13:44:54Z"}
{"severity":"INFO","timestamp":"2025-11-08T13:44:56.938559259Z","caller":"zap@v1.1.5/zap.go:125","message":"/.idp/register","status":201,"method":"POST","path":"/.idp/register","query":"","ip":"192.168.65.1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0.1 Safari/605.1.15","latency":0.002754122,"time":"2025-11-08T13:44:56Z"}
{"severity":"INFO","timestamp":"2025-11-08T13:45:36.657618617Z","caller":"zap@v1.1.5/zap.go:125","message":"/.idp/auth","status":303,"method":"GET","path":"/.idp/auth","query":"response_type=code&client_id=2336d1081e0b944b81df8f7cecf34d85&code_challenge=TyP1D_pZhPyCHGDUMZBIInIgtzyXB5h3Kn4XuI8zuYE&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A6274%2Foauth%2Fcallback%2Fdebug&resource=http%3A%2F%2Flocalhost%3A8080%2F","ip":"192.168.65.1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0.1 Safari/605.1.15","latency":0.000669554,"time":"2025-11-08T13:45:36Z"}
{"severity":"INFO","timestamp":"2025-11-08T14:00:28.953418149Z","caller":"zap@v1.1.5/zap.go:125","message":"/.well-known/oauth-protected-resource","status":200,"method":"GET","path":"/.well-known/oauth-protected-resource","query":"","ip":"192.168.65.1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0.1 Safari/605.1.15","latency":0.000027736,"time":"2025-11-08T14:00:28Z"}
{"severity":"INFO","timestamp":"2025-11-08T14:00:28.964147149Z","caller":"zap@v1.1.5/zap.go:125","message":"/.well-known/oauth-authorization-server","status":200,"method":"GET","path":"/.well-known/oauth-authorization-server","query":"","ip":"192.168.65.1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0.1 Safari/605.1.15","latency":0.000053556,"time":"2025-11-08T14:00:28Z"}
{"severity":"INFO","timestamp":"2025-11-08T14:00:29.779687217Z","caller":"zap@v1.1.5/zap.go:125","message":"/.idp/register","status":201,"method":"POST","path":"/.idp/register","query":"","ip":"192.168.65.1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0.1 Safari/605.1.15","latency":0.002446317,"time":"2025-11-08T14:00:29Z"}
{"severity":"INFO","timestamp":"2025-11-08T14:01:21.741525199Z","caller":"zap@v1.1.5/zap.go:125","message":"/.idp/auth","status":303,"method":"GET","path":"/.idp/auth","query":"response_type=code&client_id=aff6b48721bf0fc6a968910984810d22&code_challenge=OXeC-R8HiM91Eu8JO5Os1f6ddZPmtRGAOeLYRXNcGLM&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A6274%2Foauth%2Fcallback%2Fdebug&resource=http%3A%2F%2Flocalhost%3A8080%2F","ip":"192.168.65.1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0.1 Safari/605.1.15","latency":0.000125896,"time":"2025-11-08T14:01:21Z"}