[BUG] Claude Desktop uses an incorrect redirect_uri during Dynamic Client Registration

Resolved 💬 3 comments Opened Feb 11, 2026 by embesozzi Closed Feb 14, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Based on the 2025-11-25 MCP Authorization Spec, specifically the Protected Resource Metadata Discovery Requirements [1], if the tool returns an HTTP/1.1 401 Unauthorized as follows:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer resource_metadata="https://mcp.example.com/.well-known/oauth-protected-resource",  scope="files:read"

Claude reads the resource_metadata URI and then performs discovery of the Identity Provider endpoints a then trigger a standard OAuth flow (Authorization Code with PKCE). Up to this point, these steps work correctly.

Claude Desktop, acting as the client, then initiates Dynamic Client Registration (DCR). During this process, it registers OAuth client MCP CLI Proxy with the redirect_uri as: http://localhost:35535/oauth/callback
Claude then opens the Identity Provider to continue the login flow. After authentication completes, the IdP attempts to redirect back to: http://localhost:35535/oauth/callback

Since this port is not open, the redirect fails and the overall authentication process breaks.

Please authorize this client by visiting:
https://{idp-url}/protocol/openid-connect/auth?response_type=code&client_id=7d43f99d-8e1c-4eab-b6e2-dfd416766150&code_challenge=wUWMWR1gN7u_7h4vv_4KrcdK3fPXZQT72ma6GbqBS0c&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A35535%2Foauth%2Fcallback&state=61866152-e9bd-4bcc-8bc4-9c6ab6b79d50&scope=profile&resource=http%3A%2F%2Flocalhost%3A8080%2F
[99441] Browser opened automatically.
[99441] Error from remote server: UnauthorizedError: Unauthorized

[1] https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#protected-resource-metadata-discovery-requirements

What Should Happen?

In the DCR case, should Claude Desktop use a private-use URI scheme (app-specific deep links, for example claude://oauth/callback) to handle the standard OAuth callback?

Error Messages/Logs

Steps to Reproduce

  1. Implement the 2025-11-25 MCP Authorization Spec, specifically the Protected Resource Metadata Discovery Requirements

Claude Model

None

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

Claude For MaC: Claude 1.1.2685 (f39a62) 2026-02-10T19:42:56.000Z

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗