CORS errors when using the "Quick OAuth Flow" auth troubleshooter

[anthony-c-martin]

Inspector Version

0.16.7

Describe the bug

I'm trying to troubleshoot a new remote MCP server, and see this error message:

When I look at the browser logs, I see the following, indicating the web requests aren't actually failing - it's just being blocked by my browser's CORS policy:

Access to fetch at 'https://<redacted>/.well-known/oauth-protected-resource' from origin 'http://localhost:6274' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

To Reproduce
Steps to reproduce the behavior:

1. Add remote server, click 'Connect'
2. Click on 'Auth'
3. Scroll down to 'Quick OAuth Flow'
4. See error

Expected behavior

1. The app is able to make requests regardless of CORS policy, or instructions are provided on how to run it in a way to bypass.
2. The error message is more descriptive of the problem, rather than indicating a generic problem has occurred.

Screenshots
See above

Environment (please complete the following information):

• OS: macOS (Tahoe 26.0)
• Browser: Edge

Additional context
N/A

[Xueyao-Huang]

same in 0.16.8

[cliffhall]

The app is able to make requests regardless of CORS policy, or instructions are provided on how to run it in a way to bypass.

@anthony-c-martin when you say "the app" do you mean a browser-based app or an app running as a service? The latter will not have any CORS-related issues, because that is a browser concern.

Any browser-based app will have a CORS issue connecting to any server that does not allow its origin to connect. It's not up to the Inspector or any browser-based app to set the CORS policy, that's the server's prerogative.

Have a look at the Everything reference server implementation and how it opens the CORS origin and headers it allows the browser to read.

[cliffhall]

Closing this one. It seems as if your .well-known/oauth-protected-resource endpoint needs CORS config to allow all origins. It is a public metadata discovery mechanism.

[anthony-c-martin]

Thanks for the guidance! I'll try out enabling the CORS config for the .well-known/oauth-protected-resource endpoint.

[ov-developer]

@cliffhall Hi, I'm running into the same problem. CORS policy is blocking the metadata and oauth requests. Would it make sense to use the MCP proxy also for those? From my understanding the whole point of having a proxy is to "circumvent" the CORS policy for development as it is only relevant in browser environment.

[cliffhall]

From my understanding the whole point of having a proxy is to "circumvent" the CORS policy for development as it is only relevant in browser environment.

The original point of the proxy was simply to support STDIO servers. You can't talk to them from a browser, you have to have a proxy.

I agree that it might be helpful to go through the proxy, and we may look into doing it, but, it would not be a simple change.