[FEATURE] Support OAuth Device Authorization Grant (RFC 8628) for MCP Servers
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
Feature Request: Support OAuth Device Authorization Grant (RFC 8628) for MCP Servers
Summary
Add support for the OAuth 2.0 Device Authorization Grant (RFC 8628) when authenticating with MCP servers, enabling OAuth flows in headless environments like SSH sessions, containers, and
remote development servers.
Problem
Claude Code currently only supports the authorization_code flow for MCP OAuth, which requires opening a browser and receiving a callback on localhost. This doesn't work in common development
scenarios:
- Remote development via SSH (e.g., VPS, EC2 instances)
- Containers and Docker environments
- WSL without browser integration
- Headless CI/CD pipelines
- tmux/screen sessions on remote machines
In these environments, Claude Code shows "A browser window will open for authentication" but can't actually open a browser, leaving users unable to authenticate with OAuth-protected MCP
servers.
Current Behavior
- Claude Code discovers MCP server OAuth metadata
- Ignores device_authorization_endpoint even if advertised
- Always initiates authorization_code flow with redirect_uri=http://localhost:*/callback
- Fails silently in headless environments (offers manual URL copy, but callback still can't be received)
Proposed Solution
Expected Behavior
- Claude Code checks OAuth server metadata for device flow support (device_authorization_endpoint and urn:ietf:params:oauth:grant-type:device_code in grant_types_supported)
- In headless environments (or when browser launch fails), automatically falls back to device flow
- Displays user code and verification URL:
To authenticate, visit: https://example.com/device
Enter code: ABCD-1234
Waiting for authorization...
- Polls token endpoint until user completes authorization
Use Case
I maintain an MCP server (nestr-mcp) that already implements device flow support per RFC 8628. Users on remote development environments can't use OAuth authentication because Claude Code
won't use the device flow, forcing them to fall back to API keys which have different permission scoping.
Technical References
- https://datatracker.ietf.org/doc/html/rfc8628
- https://modelcontextprotocol.io/specification/draft/basic/authorization
Suggested Implementation
- Detect headless environment (no DISPLAY, SSH session, etc.) or failed browser launch
- Check if server advertises device flow support in metadata
- Call device_authorization_endpoint to get device_code, user_code, and verification_uri
- Display user_code and verification_uri to user
- Poll token_endpoint with grant_type=urn:ietf:params:oauth:grant-type:device_code until authorized or timeout
Alternative Solutions
_No response_
Priority
Medium - Would be very helpful
Feature Category
MCP server integration
Use Case Example
see above
Additional Context
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗