anthropics
[BUG] MCP Oauth - using wrong redirect_uri for remote mcp with oauth2.1
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
I am using a remote mcp server that support oauth2.1 to enable multiple users accessing the same MCP server instance
When I add an MCP server with "type": "http", that uses oauth, it generates a call for the authorize endpoint with wrong redirect_url.
The mcp server have:
/.well-known/oauth-protected-resource
/.well-known/oauth-authorization-server
/oauth2/register
They are called, and the register returns the correct redirect_url:
{
"redirect_uris": [
"https://my-mcp-server/oauth2callback"
],
...
}
In the claude code (and in the remote mcp server) I see that those endpoints are called.
Regardless, the authorize endpoint that is built is:
https://my-mcp-server/oauth2/authorize?response_type=code&client_id=<CLIENT_ID>&code_challenge=<CODE_CHALLENGE>&code_challenge_method=<METHOD>&redirect_uri=http%3A%2F%2Flocalhost%3A56648%2Fcallback&state=<STATE>&scope=<SCOPES>&resource=https%3A%2F%2Fmy-mcp-server%2Fmcp
as can see - the redirect_uri is http://localhost:<port>/callback
This auth request is rejected, as this redirect_url is not authorized by the client.
What Should Happen?
The generated authorize endpoint address should have the redirect_url parameter set to the redirect_uris as set in the response of the /oauth2/register.
i.e.
https://my-mcp-server/oauth2/authorize?response_type=code&client_id=<CLIENT_ID>&code_challenge=<CODE_CHALLENGE>&code_challenge_method=<METHOD>&redirect_uri=https%3A%2F%2Fmy-mcp-server%3A56648%2Foauth2callback&state=<STATE>&scope=<SCOPES>&resource=https%3A%2F%2Fmy-mcp-server%2Fmcp
as can see - the redirect_uri is http://localhost:<port>/callback
Error Messages/Logs
Steps to Reproduce
- Create a local .mcp.json file with the following:
{
"mcpServers": {
"my_oauth_mcp": {
"type": "http",
"url": "https://my_oauth_mcp/mcp"
}
}
}
- Run
claude - call
/mcpcommand - choose the my_oauth_mcp
- choose authenticate
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Last Working Version
No response
Claude Code Version
2.0.27
Platform
Google Vertex AI
Operating System
macOS
Terminal/Shell
iTerm2
Additional Information
example mcp like that can be https://github.com/taylorwilsdon/google_workspace_mcp
I would add that the issue is wider.. Some IdPs (like OKTA enterprise) do not allow DRC and there's no way to call /register and get back a redirect uri.. Tools like Cursor use a more predictable callback uri like cursor://anysphere.cursor-mcp/oauth/user-foo/callback .. But claude-code listens on a random port and there's no way to configure OKTA for example to allow any port on localhost - you can't configure http://localhost:*/callback
So ideally when this is fixed it would be great if it respected the return value from /register but if there's no value there then don't generate a random PORT url as it's not workable with some IdPs like OKTA.
Thanks!
Found that deep in the code it supports this:
export MCP_OAUTH_CALLBACK_PORT=12345
This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}