[BUG] Atlassian MCP OAuth uses `localhost` instead of RFC 8252 recommended `127.0.0.1`

Resolved 💬 3 comments Opened Dec 15, 2025 by christiananagnostou Closed Feb 14, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

The Atlassian MCP server uses http://localhost:{port}/callback for OAuth redirect URIs.

RFC 8252 (OAuth 2.0 for Native Apps) Section 7.3 recommends using the loopback IP literal 127.0.0.1 instead of localhost.

This causes authentication failures with organizations that have OAuth security policies only allowing RFC-compliant IP literal redirects. When attempting to re-authenticate with the Atlassian MCP server, the OAuth flow fails because the redirect URI http://localhost:56691/callback is rejected.

The redirect URI shown during authentication:

  • Current: http://localhost:56691/callback
  • Expected: http://127.0.0.1:56691/callback

For example, the Atlassian authorization page shows:

Organizations with strict OAuth policies reject this redirect URI.

What Should Happen?

The Atlassian MCP server should use http://127.0.0.1:{port}/callback for OAuth redirect URIs, following RFC 8252 Section 7.3 recommendations.

This would ensure compatibility with OAuth providers that strictly follow the RFC specification.

Error Messages/Logs

Steps to Reproduce

  1. Have an Atlassian organization with OAuth security policies that only allow RFC 8252 compliant redirect URIs (IP literals)
  2. Run /mcp in Claude Code
  3. Select the Atlassian MCP server
  4. Select "Re-authenticate"
  5. Observe the redirect URI shown is http://localhost:{port}/callback
  6. Authentication fails because the OAuth provider rejects localhost redirects

Claude Model

Opus

Is this a regression?

Yes, this worked in a previous version

Last Working Version

Unknown - was working approximately 1 week ago

Claude Code Version

2.0.69 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

RFC 8252 Reference

From RFC 8252 Section 7.3:

Loopback redirect URIs use the "http" scheme and are constructed with the loopback IP literal and whatever port the client is listening on. That is, "http://127.0.0.1:{port}/{path}" for IPv4, and "http://[::1]:{port}/{path}" for IPv6.

GitHub's OAuth Documentation

GitHub's OAuth docs also note:

OAuth RFC recommends not to use localhost, but instead to use loopback literal 127.0.0.1 or IPv6 ::1

Source: https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#loopback-redirect-urls

Impact

Users in organizations with strict OAuth security policies cannot authenticate with the Atlassian MCP server, blocking access to Jira, Confluence, and Compass integrations.

Suggested Fix

Update the Atlassian MCP server OAuth configuration to use http://127.0.0.1:{port}/callback instead of http://localhost:{port}/callback.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗