Skip to content

non-JSON in mcp init #113

Open
Open
non-JSON in mcp init#113
@clgtm

Description

@clgtm
clgtm
opened on Feb 20, 2026
Command:   authprobe scan --llm-max-tokens=1080 --openai-api-key=sk-proj-***REDACTED*** http://localhost:8028/mcp
Scanning:  http://localhost:8028/mcp
Scan time: Feb 20, 2026 07:17:50 UTC
Github:    https://github.com/authprobe/authprobe

Funnel
  [1] MCP probe (401 + WWW-Authenticate)      [-] SKIP
        probe returned 405; checking PRM for OAuth config

  [2] MCP initialize + tools/list             [X] FAIL
        initialize -> 200 (non-JSON response)

  [3] PRM fetch matrix                        [X] FAIL
        PRM unreachable or unusable; OAuth discovery unavailable

  [4] Auth server metadata                    [-] SKIP
        auth not required

  [5] Token endpoint readiness (heuristics)   [-] SKIP
        auth not required

  [6] Dynamic client registration (RFC 7591)  [-] SKIP
        auth not required

Primary Finding (HIGH): MCP_INITIALIZE_FAILED (confidence 1.00)
  Evidence:
      initialize -> 200 (non-JSON response)
      MCP servers should accept the initialize JSON-RPC request and return a valid JSON response
      per the MCP specification.

┌───────────────────────┤ CALL TRACE ├───────────────────────┐
Call Trace Using: https://github.com/authprobe/authprobe

  ┌────────────┐                                                    ┌────────────┐    
  │ authprobe  │                                                    │ MCP Server │    
  └─────┬──────┘                                                    └─────┬──────┘    
        │                                                                 │           
        │ ╔═══ Step 1: MCP probe                    ═══════╪═══════════════════╗
        │  GET http://localhost:8028/mcp                                 
        │  Reason: 401 + WWW-Authenticate discovery                      
        │    Accept:  text/event-stream
        │    Host:    localhost:8028
        ├─────────────────────────────────────────────────────────────────►│
        │  405 Method Not Allowed                                        
        │    Connection:    keep-alive
        │    Date:          Fri, 20 Feb 2026 07:17:41 GMT
        │    Keep-Alive:    timeout=5
        │    X-Powered-By:  Express
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │ ╔═══ Step 2: MCP initialize               ═══════╪═══════════════════╗
        │  POST http://localhost:8028/mcp                                
        │  Reason: Step 2: MCP initialize + tools/list (pre-init tools/list)
        │    Accept:                application/json, text/event-stream
        │    Content-Type:          application/json
        │    Host:                  localhost:8028
        │    Mcp-Protocol-Version:  2025-11-25
        ├─────────────────────────────────────────────────────────────────►│
        │  200 OK                                                        
        │    Cache-Control:  no-cache
        │    Connection:     keep-alive
        │    Content-Type:   text/event-stream
        │    Date:           Fri, 20 Feb 2026 07:17:41 GMT
        │    X-Powered-By:   Express
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │  POST http://localhost:8028/mcp                                
        │  Reason: Step 2: MCP initialize + tools/list (initialize)      
        │    Accept:                application/json, text/event-stream
        │    Content-Type:          application/json
        │    Host:                  localhost:8028
        │    Mcp-Protocol-Version:  2025-11-25
        ├─────────────────────────────────────────────────────────────────►│
        │  200 OK                                                        
        │    Cache-Control:  no-cache
        │    Connection:     keep-alive
        │    Content-Type:   text/event-stream
        │    Date:           Fri, 20 Feb 2026 07:17:43 GMT
        │    X-Powered-By:   Express
        │◄─────────────────────────────────────────────────────────────────┤
        ▼                                                                  ▼

┌──────────────────┤ ROOT-CAUSE ANALYSIS ├───────────────────┐
The primary failure in this MCP OAuth server scan—MCP_INITIALIZE_FAILED with high confidence—is both valid and justified based on the scan evidence and relevant MCP and JSON-RPC specifications. Below is a detailed explanation, including applicable spec references and correct server behavior:

Summary of the Failure

  • The MCP server returned HTTP 200 status to the initialize JSON-RPC request.
  • However, the response body was not a valid JSON, which violates the MCP protocol requirement.
  • Consequently, the server did not properly handle or respond to the initialize request as required.

Spec-grounded Analysis

1. MCP Protocol and Initialize Request

  • According to MCP 2025-11-25, the initialize method is the entry point for all MCP interactions:

    • The client must send the initialize JSON-RPC request first.
    • The server must accept this request and respond with a well-formed JSON response in line with the MCP JSON-RPC specifications.
    • Only after successful initialize can other MCP requests (e.g., tools/list) be processed.

  • The failure indicates that the server sent a 200 OK response (an appropriate HTTP status for a successful JSON-RPC call) but the body was not JSON, violating the requirement that MCP endpoints respond exclusively with valid JSON-RPC-formatted payloads.

2. JSON-RPC 2.0 Compliance

  • Per JSON-RPC 2.0 specification (section 1):

    • All requests and responses must be encoded in JSON.
    • A valid response to a JSON-RPC request must be a JSON object containing expected fields (jsonrpc, result or error, id).

  • The scan's note of a "non-JSON response" means the server did not send a valid JSON-RPC response object, thus:

    • It violates JSON-RPC 2.0 formatting.
    • It breaks client assumptions about response parsing and error handling.

3. Impact on Other MCP Functionality

  • Step [2] failure cascades into subsequent failures, such as step [3] inability to fetch the PRM matrix due to failure in initial handshake.
  • Specifying that MCP servers must enforce ordering (initialize before any other method requests) aligns with the MCP_INITIALIZE_ORDERING_NOT_ENFORCED (info) finding but is a secondary issue after failure to properly respond to initialize.

4. OAuth Discovery and PRM Access

  • Failure to properly initialize impacts OAuth discovery, client registration, and token handling phases.
  • According to RFC 8414 (OAuth 2.0 Authorization Server Metadata) and RFC 9728 (OAuth 2.0 OAuth Resource Metadata), discovery mechanisms depend on proper protocol initialization and communication.
  • Without valid initialize responses, the client cannot fetch or use these endpoints.

Correct Server Behavior

  • The server must accept and process the initialize request according to MCP JSON-RPC schema.
  • It should respond with a valid JSON-RPC response with the appropriate JSON structure, e.g.:
{
  "jsonrpc": "2.0",
  "result": {
    "capabilities": {
      "supported_tools": [...],
      "auth_required": true,
      ...
    }
  },
  "id": 1
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions