Skip to content

fix(auth): enforce form-urlencoded Content-Type for token endpoint#1774

Open
lanxevo3 wants to merge 2 commits intomodelcontextprotocol:mainfrom
lanxevo3:main
Open

fix(auth): enforce form-urlencoded Content-Type for token endpoint#1774
lanxevo3 wants to merge 2 commits intomodelcontextprotocol:mainfrom
lanxevo3:main

Conversation

@lanxevo3
Copy link

@lanxevo3 lanxevo3 commented Mar 26, 2026

Summary

OAuth 2.1 §3.2 requires token endpoint requests to use \�pplication/x-www-form-urlencoded\ regardless of grant type.

Adds an explicit \headers.set('Content-Type', 'application/x-www-form-urlencoded')\ call immediately before the \ etch\ in \executeTokenRequest()\ as a defensive measure — ensuring no \�ddClientAuthentication\ implementation can accidentally override the Content-Type.

Changes

\packages/client/src/client/auth.ts:

  • \executeTokenRequest(): re-enforce Content-Type before fetch

  • egisterClient(): re-enforce Content-Type before fetch

References

lanxevo3 added 2 commits March 26, 2026 16:55
@lanxevo3
fix(auth): enforce form-urlencoded Content-Type for token endpoint
fa780fa 
OAuth 2.1 §3.2 requires token endpoint requests to use
application/x-www-form-urlencoded regardless of grant type.

Add an explicit header.set() call immediately before the fetch in
executeTokenRequest() to prevent any addClientAuthentication
implementation from accidentally overriding the Content-Type.

Fixes modelcontextprotocol/inspector#1160
@lanxevo3
Merge branch 'main' of https://github.com/lanxevo3/typescript-sdk
984a27e
@lanxevo3 lanxevo3 requested a review from a team as a code owner March 26, 2026 21:57
@changeset-bot
Copy link

changeset-bot bot commented Mar 26, 2026

⚠️ No Changeset found

Latest commit: 984a27e

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@lanxevo3 lanxevo3 mentioned this pull request Mar 26, 2026
Open
@pkg-pr-new
Copy link

pkg-pr-new bot commented Mar 26, 2026

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1774

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1774

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1774

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1774

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1774

commit: 984a27e

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Requests to oauth the token endpoint with refresh_token grant type set invalid content-type header

1 participant

@lanxevo3