From b64c619cca652fbb980f912afab1f2ce5e0f038a Mon Sep 17 00:00:00 2001
From: Peter Siska <63866+peschee@users.noreply.github.com>
Date: Thu, 26 Feb 2026 18:18:27 +0100
Subject: [PATCH] fix: register both OAuth redirect URIs to avoid DCR conflict
 between normal and debug flows

The redirect_uris getter used this.redirectUrl, which DebugInspectorOAuthClientProvider
overrides to return the debug URL. This caused Set deduplication to collapse both entries
into just the debug URI, so DCR only registered /oauth/callback/debug. The normal Connect
flow then failed because /oauth/callback was not a registered redirect URI.
---
 client/src/lib/auth.ts | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/client/src/lib/auth.ts b/client/src/lib/auth.ts
index 879936104..76a00837b 100644
--- a/client/src/lib/auth.ts
+++ b/client/src/lib/auth.ts
@@ -146,10 +146,12 @@ export class InspectorOAuthClientProvider implements OAuthClientProvider {
   }
 
   get redirect_uris() {
-    // Normally register both redirect URIs to support both normal and debug flows
-    // In debug subclass, redirectUrl may be the same as debugRedirectUrl, so remove duplicates
-    // See: https://github.com/modelcontextprotocol/inspector/issues/825
-    return [...new Set([this.redirectUrl, this.debugRedirectUrl])];
+    // Always register both redirect URIs regardless of which subclass is used,
+    // so that a single client registration works for both normal and debug flows.
+    return [
+      window.location.origin + "/oauth/callback",
+      window.location.origin + "/oauth/callback/debug",
+    ];
   }
 
   get clientMetadata(): OAuthClientMetadata {