OAuth CORS errors when Connection Type is set to 'Via Proxy' #995
Description
Problem
When users select "Via Proxy" as the Connection Type, they reasonably expect all requests to be proxied, including OAuth authentication requests. However, OAuth operations currently bypass the proxy and are executed directly from the browser, causing CORS errors.
This creates a confusing user experience: the "Via Proxy" setting appears to only apply to MCP protocol calls, not OAuth authentication, which is not immediately clear to users.
Concrete Example: Keycloak
When using Keycloak as an OAuth provider:
- User selects "Via Proxy" in the Inspector sidebar
- User attempts OAuth authentication
- Browser makes direct requests to Keycloak (bypassing the proxy)
- Keycloak returns CORS errors because it's not configured for the Inspector's origin
- Authentication fails despite "Via Proxy" being selected
Current workaround: Deploy a reverse proxy (nginx, Caddy) in front of Keycloak to add CORS headers specifically for the Inspector. This makes development and demos particularly tedious and requires additional infrastructure.
Proposed Solution
Route OAuth operations through the existing Express proxy server when connectionType is "proxy", following the same pattern as MCP server connections.
Implementation
I have a working solution available at:
https://github.com/asoorm/inspector/tree/fix/oauth-cors-proxy-support
Changes:
- Adds OAuth proxy endpoints to
server/src/index.ts - Updates OAuth state machine to respect connectionType setting
- Maintains backward compatibility with direct connections
- Tested successfully with Keycloak
Next Steps
Based on your feedback to this issue and the PR, I will add polish, tests, and documentation accordingly.
Type: Bug fix / UX improvement