[BUG] Omits OAuth resource parameter required by MCP 2025-06-18

Resolved 💬 3 comments Opened Oct 29, 2025 by btiernay Closed Nov 3, 2025

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Claude Code does not send the resource parameter as required by the MCP 2025-06-18 specification:
https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization#resource-parameter-implementation

The request as captured by the AS:

https://<snip>/authorize?response_type=code&client_id=BKD3qFcyAty7JKrYFF9FbatEaLLizr8T&code_challenge=m<snip>&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A59430%2Fcallback&state=Y-nto_D7WTTRRvopM-XTEAgI3fcyf9FY9X9Wdm8G6dk&scope=openid+profile+offline_access+name+given_name+family_name+nickname+email+email_verified+picture+created_at+identities+phone+address&prompt=consent

Note: no resource parameter

What Should Happen?

The resource parameter should be included in the authorization request (and echoed in the token request), pointing to the canonical URI of the MCP server. For example:

&resource=https%3A%2F%2Fyour-mcp.example.com

Error Messages/Logs

[DEBUG] MCP server "test": Token expired without refresh token
[DEBUG] MCP server "test": Generated new OAuth state
[DEBUG] MCP server "test": Saving code verifier
[DEBUG] MCP server "test": Authorization URL: https://<snip>/authorize?response_type=code&client_id=GwLqQ1Vw8VZnBB6R54FDBnFHaQiQivLR&code
_challenge=<snip>&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A3118%2Fcallback&state=8juLJP4REDuhKodHS
Urc2-C5ZvPcfsdMfb8hy10EHL4
[DEBUG] MCP server "test": Scopes in URL: NOT FOUND
[DEBUG] MCP server "test": No scopes available from URL or metadata
[DEBUG] MCP server "test": Redirection handling is disabled, skipping redirect
[DEBUG] MCP server "test": HTTP Connection failed after 2736ms: Unauthorized (code: none, errno: none)
[ERROR] MCP server "test" Error: Unauthorized
[DEBUG] MCP server "test": Authentication required for HTTP server
````

### Steps to Reproduce

1. Create an HTTP MCP server.
2. Host protected resource metadata that identifies the server’s canonical `resource` URI.
3. Add the MCP server to Claude Code.
4. Try to connect.

### Claude Model

None

### Is this a regression?

No, this never worked

### Last Working Version

*No response*

### Claude Code Version

2.0.28

### Platform

AWS Bedrock

### Operating System

macOS

### Terminal/Shell

iTerm2

### Additional Information

This is not a duplicate of the existing scope-related reports. Those issues focus on problems with `scope` discovery or inclusion:

- #4540 reports that `scope` is omitted during Dynamic Client Registration and in the authorization request.
- #7744 reports that the client ignores `scopes_supported` from protected resource metadata, which prevents issuance of a refresh token because `offline_access` is never requested.
- #8001 reports that DCR omits `scope`, which can yield over-privileged registrations on permissive servers.

By contrast, this report targets the missing OAuth Resource Indicator, `resource`, which MCP 2025-06-18 requires in both the authorization request and the token request. The captured authorization URL already contains many scopes, yet it still fails because `resource` is absent. That shows the failure is independent of scope handling.

Why this is novel and user visible:
- Interoperability: Authorization servers that implement RFC 8707 and the MCP spec may reject requests without `resource`, regardless of the scopes provided.
- Security and audience binding: Without `resource`, the AS cannot accurately bind the token to the intended MCP server, which creates an ambiguous or incorrect audience. Servers that enforce audience binding will deny the flow.
- Orthogonality to DCR: Even if DCR includes correct scopes, the online authorization and token exchanges still need `resource`. Fixes to scope inclusion do not address this.
- Minimal remediation: Include the canonical MCP server URI as `resource` in both the authorization request and token exchange. Example: `resource=https%3A%2F%2Fyour-mcp.example.com`.

Impact: compliant AS and resource servers will reject the request, and token audience may be ambiguous without `resource`.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗