MCP Connector still “Failed to resolve OAuth client” after full proxy setup

ChatGPT
1

Hey folks,

I have been trying this for past two weeks. Tried to resolve this by hard code, claude, codex, and finally google here. and here at the forum.

Context: I’m hosting an MCP server at mcp.tradly.app. The real data lives behind Tradly’s OAuth server api.tradly.app/skua/oauth/*, so I wired up the TypeScript SDK’s ProxyOAuthServerProvider + mcpAuthRouter to act as the façade. Every discovery URL is returning 200 with JSON, we respond politely to callback probes, and the manifest advertises the flow exactly as the spec shows.

What I’ve implemented:

  • /.well-known/mcp/manifest.json: lists tools, OAuth block (grant_type=authorization_code, PKCE, redirect mcp.tradly.app/oauth/callback).

  • /.well-known/openid-configuration, /.well-known/oauth-authorization-server, /.well-known/oauth-protected-resource: all served with proper metadata, CORS, and no 404s.

  • /authorize and /token: handled by the SDK router, plus explicit HEAD overrides (connector was sending HEAD first).

  • /oauth/callback: returns 200 even without a code so the connector doesn’t trip.

  • /api/mcp: now requires a bearer token, verifies it via Tradly’s /userinfo, and proxies the request.

  • HEAD/OPTIONS fallback for those weird combined paths (e.g. /.well-known/oauth-protected-resource/.well-known/mcp/manifest.json).

Manual checks after the latest deploy ()

curl https://mcp.tradly.app/.well-known/openid-configuration 
200 

curl -I https://mcp.tradly.app/authorize
HTTP/2 405 
allow: GET, POST
content-type: application/json; charset=utf-8


curl -I https://mcp.tradly.app/token

HTTP/2 405 
access-control-allow-origin: *
allow: POST

Despite all that, when I enter the manifest URL in ChatGPT’s MCP connector it still throws:

Failed to resolve OAuth client for MCP connector: https://mcp.tradly.app/.well-known/mcp/manifest.json

I’ve tailed the server logs during the attempt—after the discovery probes it never reaches /authorize or /token, so the connector is bailing before the real OAuth flow.

Has anyone seen this and found a missing piece? Do I still need to proxy /userinfo, /jwks, or dynamic registration in a special way? Or is there a known connector bug I should chase with OpenAI?

Live endpoint: mcp.tradly.app

Any hints or war stories would be hugely appreciated.