Detail Bug Report
https://app.detail.dev/org_42bf1b6f-11b3-499a-ad6d-d5a056862990/bugs/bug_b14a1269-391e-4970-827c-379fdbf74810
Summary
- Context: The OAuth transport layer in MCP clients fetches Protected Resource Metadata from a well-known endpoint to discover authorization servers before initiating OAuth flows.
- Bug: When the resource metadata endpoint returns an unexpected HTTP status code (anything other than 200 OK or 404 Not Found), the code returns a nil error instead of an error describing the problem.
- Actual vs. expected: The code returns nil (no error) when it should return an error with details about the unexpected status code, causing the OAuth flow to silently continue as if the endpoint returned 404.
- Impact: Server errors (500, 503), access control issues (401, 403), and other HTTP errors are completely masked, making it impossible to diagnose OAuth configuration problems or server failures.
Code with bug
Both handleManagedOAuthFlow and handleUnmanagedOAuthFlow in pkg/tools/mcp/oauth.go contain this pattern:
resp, err := http.Get(resourceURL)
if err != nil {
return err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusNotFound {
return err // <-- BUG 🔴 err is nil at this point!
}
var resourceMetadata protectedResourceMetadata
if resp.StatusCode == http.StatusOK {
if err := json.NewDecoder(resp.Body).Decode(&resourceMetadata); err != nil {
return err
}
}Example
- Server returns 500 from
/.well-known/oauth-protected-resource.
http.Get() succeeds (no network error), so err == nil.- Code detects status not in {200, 404} and executes
return err.
- Because
err is nil, the function returns nil and the OAuth flow proceeds using fallback values.
Expected: return an error such as fmt.Errorf("unexpected status %d from resource metadata endpoint %s", resp.StatusCode, resourceURL).
Actual: returns nil, masking real server/configuration errors.
Recommended fix
Replace return err with a constructed error in both occurrences:
if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusNotFound {
return fmt.Errorf("unexpected status %d from resource metadata endpoint %s", resp.StatusCode, resourceURL) // <-- FIX 🟢
}Apply the same change in both handleManagedOAuthFlow and handleUnmanagedOAuthFlow in pkg/tools/mcp/oauth.go. This matches the error handling pattern used elsewhere in the file.
Detail Bug Report
https://app.detail.dev/org_42bf1b6f-11b3-499a-ad6d-d5a056862990/bugs/bug_b14a1269-391e-4970-827c-379fdbf74810
Summary
Code with bug
Both
handleManagedOAuthFlowandhandleUnmanagedOAuthFlowinpkg/tools/mcp/oauth.gocontain this pattern:Example
/.well-known/oauth-protected-resource.http.Get()succeeds (no network error), soerr == nil.return err.erris nil, the function returns nil and the OAuth flow proceeds using fallback values.Expected: return an error such as
fmt.Errorf("unexpected status %d from resource metadata endpoint %s", resp.StatusCode, resourceURL).Actual: returns
nil, masking real server/configuration errors.Recommended fix
Replace
return errwith a constructed error in both occurrences:Apply the same change in both
handleManagedOAuthFlowandhandleUnmanagedOAuthFlowinpkg/tools/mcp/oauth.go. This matches the error handling pattern used elsewhere in the file.