MCP OAuth discovery fails for servers without `/.well-known/oauth-authorization-server` (e.g. Snowflake Cortex MCP)

Resolved 💬 4 comments Opened Mar 6, 2026 by psmith39 Closed May 26, 2026

Describe the bug

When connecting to an HTTP MCP server that uses OAuth but doesn't expose a standard /.well-known/oauth-authorization-server discovery document, Claude Code silently fails to initiate the OAuth flow — no browser prompt appears, and the server never authenticates.

Steps to reproduce

  1. Configure an HTTP MCP server that returns a 401 with a WWW-Authenticate: Bearer resource_metadata=<url> header
  2. The resource metadata at <url> returns authorization_servers: ["https://example.com/oauth"]
  3. https://example.com/oauth/.well-known/oauth-authorization-server returns 404 (server doesn't expose RFC 8414 discovery)
  4. Open /mcp — no OAuth prompt appears, server shows as unauthenticated

Affected server: Snowflake Cortex MCP

Snowflake's built-in Cortex MCP server (CREATE MCP SERVER) is a concrete example. The server correctly returns a 401 with resource metadata, and its OAuth endpoints (/oauth/authorize, /oauth/token-request) work fine — but it doesn't expose /.well-known/oauth-authorization-server, so Claude Code's discovery chain breaks at step 3.

Verified endpoints:

  • GET /api/v2/databases/.../mcp-servers/CLAUDE_CODE → 401 with WWW-Authenticate
  • GET /.well-known/oauth-protected-resource/... → valid resource metadata JSON
  • GET /oauth/.well-known/oauth-authorization-server → 404
  • GET /.well-known/oauth-authorization-server → 404

Expected behavior

Either Claude Code handles missing discovery endpoints more gracefully (e.g. falls back to trying known endpoint patterns), or mcp.json allows manually specifying OAuth endpoints to bypass discovery:

{
  "mcpServers": {
    "snowflake": {
      "type": "http",
      "url": "https://account.snowflakecomputing.com/api/v2/databases/.../mcp-servers/SERVER",
      "oauthClientId": "<client-id>",
      "oauthAuthorizationEndpoint": "https://account.snowflakecomputing.com/oauth/authorize",
      "oauthTokenEndpoint": "https://account.snowflakecomputing.com/oauth/token-request"
    }
  }
}

Why this matters

Snowflake is widely used in enterprise environments and has official Cortex MCP support. This gap makes the Snowflake ↔ Claude Code integration completely non-functional without a custom proxy workaround.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗