Hi guys I am using self hosted version of Ory Hydra as a OAu Ory Community #general

Hi guys. I am using self-hosted version of Ory Hyd...

handsome-furniture-42144

05/24/2025, 11:12 AM

Hi guys. I am using self-hosted version of Ory Hydra as a OAuth2 server for my MCP server application. While debugging my application using MCP Inspector, I am facing the following issue:

Copy code

Failed to start OAuth flow: [ { "code": "invalid_type", "expected": "array", "received": "null", "path": [ "contacts" ], "message": "Expected array, received null" } ]

POST <http://localhost:4445/admin/clients>

Response includes

contacts: null

This is the following code: 1. Metadata API call: https://github.com/modelcontextprotocol/inspector/blob/ec24f7bbbf1535084c5f03157c80eceb4e79278d/client/src/lib/auth.ts#L22-L31 2. MCP Typescript SDK schema: https://github.com/modelcontextprotocol/typescript-sdk/blob/0c4b3082751e1ec387a2f8ddbfe6a8c882d2ce0f/src/shared/auth.ts#L94 Now I wanted your help in discussing if this is an error in Ory Hydra side of the system or is it an error in MCP Typescript SDK implementation?

handsome-furniture-42144

05/24/2025, 11:32 AM

I have raised an issue for the same in MCP Typescript SDK https://github.com/modelcontextprotocol/typescript-sdk/issues/543

magnificent-energy-493

05/28/2025, 4:02 PM

Thanks @handsome-furniture-42144 @early-magician-18981 from the Ory team is also doing some testing with MCP, maybe you can learn from each other here, I heard it is pretty rough territory still 😄

early-magician-18981

05/28/2025, 4:04 PM

Hey @handsome-furniture-42144, I ran into this as well. Basically it is an issue of JSON nulls. In our language stack, we are expecting the raw object type to be there and not a null, which is why this throws. Take a look at this for a working example: https://www.ory.sh/blog/agentic-ai-security-mcp-oauth

early-magician-18981

05/28/2025, 4:05 PM

Specifically Step 2: Test with the MCP Inspector. It is a small tweak to the auth.js code they use to give contact an array rather than null.

early-magician-18981

05/28/2025, 4:06 PM

Also, the linked package: https://www.npmjs.com/package/@ory/mcp-oauth-provider also works with both Ory Network and Ory Hydra (OSS or OEL self-hosted)!

handsome-furniture-42144

05/29/2025, 10:18 AM

thanks the help.. let me give this a try

handsome-furniture-42144

05/29/2025, 10:55 AM

making changes to

MCP Inspector

seems like cheating 😛 I expect most of the MCP clients would be using

modelcontextprotocol/typescript-sdk

which does not handle

null

in it's zod schema

handsome-furniture-42144

05/29/2025, 10:55 AM

passing

scope: "ory.admin"

is this necessary?

handsome-furniture-42144

05/29/2025, 12:16 PM

in the documentation issuerUrl and baseUrl seems to be flipped

Copy code

issuerUrl: new URL(oryProjectUrl),
baseUrl: new URL(mcpBaseUrl),

should have been

Copy code

issuerUrl: new URL(mcpBaseUrl),
baseUrl: new URL(oryProjectUrl),

handsome-furniture-42144

05/29/2025, 12:17 PM

also in the npm documentation it's not clear what would be the

/callback

consent server and how to change it

early-magician-18981

05/29/2025, 2:53 PM

Good feedback. Let me incorporate those notes over the day today. The scope is not necessary, just lets you be sure that you can handle custom scopes in this format as well.

early-magician-18981

05/29/2025, 4:02 PM

Because these specific instructions are for using Ory Network and not Hydra specifically, the /callback is handled by your Ory Network Project configuration. For Hydra, this would be configured in your Hydra setup. We have a guide coming for Hydra specific setup early next week.

early-magician-18981

05/29/2025, 4:03 PM

Also on the issuerUrl vs BaseUrl, no, the documentation is correct. Please look at the MCP SDK documentation for proxy authorization requests: https://github.com/modelcontextprotocol/typescript-sdk?tab=readme-ov-file#proxy-authorization-requests-upstream

handsome-furniture-42144

05/29/2025, 4:06 PM

hmm when I was testing with MCP inspector, I was getting error with issuer and baseurl according the the ory documentation

early-magician-18981

05/29/2025, 4:08 PM

very odd, it worked when you swapped them? What values did you have in the .env? The mcpBaseURL should be your MCP server express URL and the oryProjectURL should be your Ory Network project URL.

handsome-furniture-42144

05/29/2025, 4:09 PM

yes it worked after swapping.. mcpBaseUrl was 127.0.0.1:3000 (mcp server) and oryHydraUrl was 127.0.01:4444

early-magician-18981

05/29/2025, 4:09 PM

Let me make sure it mapped correctly in the provider middleware

early-magician-18981

05/29/2025, 4:13 PM

Yeah that's all mapped through the MCP SDK and more explicitly express middleware. It works for me to have the issuer be hydra, so not 100% sure what is going on there.

early-magician-18981

05/29/2025, 4:13 PM

Could be another inspector update messed things up?

handsome-furniture-42144

05/29/2025, 4:14 PM

i am on typescript sdk v1.12.0 and inspector v0.13.0

early-magician-18981

05/29/2025, 4:16 PM

1.11 and 0.12.0 here, let me update and see if something changed.

handsome-furniture-42144

05/29/2025, 4:18 PM

this feels odd to me

Copy code

authorization_endpoint: new URL(authorization_endpoint, baseUrl || issuer).href

https://github.com/modelcontextprotocol/typescript-sdk/blob/main/src/server/auth/router.ts#L85

early-magician-18981

05/29/2025, 4:23 PM

Ok inspector 0.13.0 works fine with how it is documented. will now attempt to update the sdk in the example and see if that breaks it.

early-magician-18981

05/29/2025, 4:30 PM

Ugh, found another change. I guess using the word provider in the requireBearerAuth was not a good fit? they changed it to verifier? why? who knows! line 123 of the example needs to be changed from

provider

verifier

. It also works for me just fine as is with the example using Ory Network. I will have time much later today to try Hydra again to see if there is a diff.

3 Views

Open in Slack

Previous Next