Skip to content

Static Authorization header from imported external configs overrides OAuth access token #121

New issue
New issue
Open
#123
Open
Static Authorization header from imported external configs overrides OAuth access token#121
#123
@ahonn

Description

@ahonn
ahonn
opened on Mar 19, 2026

Summary

When mcporter imports MCP server definitions from external clients (Cursor, VSCode, Claude Desktop, etc.) that include static Authorization headers, these headers override the OAuth access token obtained through the OAuth 2.1 flow, causing all authenticated requests to fail with 401.

Reproduction

  1. Have a Cursor MCP config (~/.cursor/mcp.json) with a static API key: 
    {
  "mcpServers": {
    "myserver": {
      "url": "http://127.0.0.1:35729/mcp",
      "headers": {
        "Authorization": "Bearer mcp_old_api_key_here"
      }
    }
  }
}
  2. Run mcporter auth --http-url http://127.0.0.1:35729/mcp --allow-http
  3. Complete the OAuth flow in the browser (authorization succeeds, token is saved)
  4. mcporter still sends the old static API key instead of the new OAuth token → 401 → retry storm

Root Cause

In src/runtime/transport.ts lines 118-125:

const resolvedHeaders = materializeHeaders(command.headers, activeDefinition.name);
const requestInit: RequestInit | undefined = resolvedHeaders
  ? { headers: resolvedHeaders as HeadersInit }
  : undefined;
const baseOptions = {
  requestInit,
  authProvider: oauthSession?.provider,
};

The MCP SDK's StreamableHTTPClientTransport._commonHeaders() spreads requestInit.headers after the authProvider token:

return new Headers({
  ...headers,       // from authProvider (OAuth token)
  ...extraHeaders   // from requestInit — OVERRIDES the above
});

This means any static Authorization header from imported configs always wins over the dynamically obtained OAuth token.

Suggested Fix

When OAuth is active, strip Authorization from static headers so the auth provider controls authentication:

const resolvedHeaders = materializeHeaders(command.headers, activeDefinition.name);
if (shouldEstablishOAuth && resolvedHeaders) {
  delete resolvedHeaders['Authorization'];
  delete resolvedHeaders['authorization'];
}

Impact

Affects all users who have MCP servers configured in Cursor/VSCode/Claude Desktop with static API keys and also try to use OAuth via mcporter for the same server.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions