anomalyco
bug: OAuth uses wrong authorization URL and missing redirectUri config
Problem
MCP OAuth fails with enterprise auth servers (Keycloak, Azure AD, Okta) due to two issues:
1. Wrong authorization URL (SDK bug)
MCP SDK 1.15.1 incorrectly constructs the authorization URL by appending /authorize to the issuer URL instead of using authorization_endpoint from OAuth metadata.
# Expected (from .well-known/openid-configuration):
https://idp.example.com/realms/mcp/protocol/openid-connect/auth
# Actual (SDK 1.15.1):
https://idp.example.com/authorize
This causes the browser to redirect to a non-existent endpoint.
2. No redirect URI configuration
OAuth servers validate that the redirect URI exactly matches a pre-registered URI. OpenCode hardcodes http://127.0.0.1:19876/mcp/oauth/callback, which may not be registered on the OAuth server.
Users cannot configure a custom redirect URI to match what's registered (e.g., Claude Code's http://localhost:41842/callback).
Reproduction Steps
KeyCloak
-
Configure an MCP server with OAuth in
opencode.json:"mcp": { "example-mcp-server": { "type": "remote", "url": "https://your-mcp-server.com", "oauth": { "clientId": "your-client-id", "scope": "openid profile email" } } } -
Run the auth command:
opencode mcp auth example-mcp-server -
Browser opens and navigates to the authorization URL
-
Result: "Page not found" error because the SDK constructs the wrong URL (
/authorizeinstead of the actualauthorization_endpointfrom OAuth discovery)
GitHub MCP
I observed similar behaviour with GitHub MCP.
-
Create an OpenCode OAuth app in Developer settings
-
Add GitHub MCP to
.config/opencode.json:{ "$schema": "https://opencode.ai/config.json", "mcp": { "github": { "type": "remote", "url": "https://api.githubcopilot.com/mcp/", "enabled": true, "oauth": { "clientId": "your-client-id", "clientSecret": "your-client-secret" } } } } -
Run the auth command:
opencode mcp auth github -
Result: The SDK constructs the wrong URL (/authorize instead of the actual authorization_endpoint from OAuth discovery). Note: The URL
github.com/authorizeactually points to the github user "authorize".
Solution
-
Upgrade MCP SDK to 1.25.1+ which correctly reads
authorization_endpoint -
Add
redirectUriconfig so users can specify the callback URL
User Configuration
This is a typical configuration for KeyCloak that impersonates Claude Code:
"mcp": {
"<server-name>": {
"type": "remote",
"url": "https://<your-mcp-server>",
"oauth": {
"clientId": "f637990b-e806-402b-9652-2eac0ae05840",
"redirectUri": "http://localhost:41842/callback",
"scope": "openid profile email"
}
}
}
Explanation
- If I upgrade MCP SDK from 1.15.1 to 1.25.1+, it constructs the correct path for KeyCloak.
- The MCP SDK upgrade will also fix GitHub MCP OAuth because it will resolve to the correct URL:
github.com/login/oauth/authorize.
- However, KeyCloak also validates the callback URL (currently many enterprise systems match the callback URL pattern for VS Code and Claude Code, not Open Code). If I set the redirectUri to impersonate Claude Code, the authentication is successful.
This issue might be a duplicate of existing issues. Please check:
- #5444: MCP with oauth doesn't work (same root cause - Dynamic Client Registration failures with enterprise OAuth servers like Jira)
- #5716: Is github mcp serve with oauth supposed to be working? (DCR HTTP 422 failure with GitHub MCP)
- #5665: Support multiple authentication flows for enterprise SSO compatibility (related authentication flow enhancement)
- #5748: Proposal: Provider Auth v2 (related auth infrastructure improvements)
Feel free to ignore if your specific case involves different requirements.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@thdxr Could you please relabel this as a bug? The root causes are identified: SDK uses wrong authorization URL + missing redirectUri config. PR #5940 has the fix.
@christso when you opened the issue you made it as a feature request instead of a bug report so it wasn't labled as a bug
