[BUG] Atlassian MCP OAuth uses `localhost` instead of RFC 8252 recommended `127.0.0.1`
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
The Atlassian MCP server uses http://localhost:{port}/callback for OAuth redirect URIs.
RFC 8252 (OAuth 2.0 for Native Apps) Section 7.3 recommends using the loopback IP literal 127.0.0.1 instead of localhost.
This causes authentication failures with organizations that have OAuth security policies only allowing RFC-compliant IP literal redirects. When attempting to re-authenticate with the Atlassian MCP server, the OAuth flow fails because the redirect URI http://localhost:56691/callback is rejected.
The redirect URI shown during authentication:
- Current:
http://localhost:56691/callback - Expected:
http://127.0.0.1:56691/callback
For example, the Atlassian authorization page shows:
- Redirect URIs: http://localhost:56691/callback
Organizations with strict OAuth policies reject this redirect URI.
What Should Happen?
The Atlassian MCP server should use http://127.0.0.1:{port}/callback for OAuth redirect URIs, following RFC 8252 Section 7.3 recommendations.
This would ensure compatibility with OAuth providers that strictly follow the RFC specification.
Error Messages/Logs
Steps to Reproduce
- Have an Atlassian organization with OAuth security policies that only allow RFC 8252 compliant redirect URIs (IP literals)
- Run
/mcpin Claude Code - Select the Atlassian MCP server
- Select "Re-authenticate"
- Observe the redirect URI shown is
http://localhost:{port}/callback - Authentication fails because the OAuth provider rejects
localhostredirects
Claude Model
Opus
Is this a regression?
Yes, this worked in a previous version
Last Working Version
Unknown - was working approximately 1 week ago
Claude Code Version
2.0.69 (Claude Code)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
RFC 8252 Reference
From RFC 8252 Section 7.3:
Loopback redirect URIs use the "http" scheme and are constructed with the loopback IP literal and whatever port the client is listening on. That is, "http://127.0.0.1:{port}/{path}" for IPv4, and "http://[::1]:{port}/{path}" for IPv6.
GitHub's OAuth Documentation
GitHub's OAuth docs also note:
OAuth RFC recommends not to use localhost, but instead to use loopback literal 127.0.0.1 or IPv6 ::1
Impact
Users in organizations with strict OAuth security policies cannot authenticate with the Atlassian MCP server, blocking access to Jira, Confluence, and Compass integrations.
Suggested Fix
Update the Atlassian MCP server OAuth configuration to use http://127.0.0.1:{port}/callback instead of http://localhost:{port}/callback.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗