OAuth MCP servers fail in remote-control mode due to disabled redirect handling
Summary
When running Claude Code in remote-control mode, all HTTP/OAuth-based MCP servers (Slack, Figma, etc.) fail to authenticate. The OAuth browser redirect flow is intentionally disabled in remote-control mode, and there is no fallback to use refresh_token grants (which don't require a browser).
Environment
- Claude Code: 2.1.73
- Platform: macOS (Darwin)
- MCP servers affected: Any HTTP/OAuth MCP (Slack, Figma, etc.)
- MCP servers NOT affected: Claude AI-managed MCPs (Notion, Gmail, Calendar), local process MCPs (Backlog, GCP)
Steps to Reproduce
- Authenticate OAuth MCP servers normally (e.g., Slack MCP via browser flow)
- Start remote-control mode:
claude remote-control --name test - Try to use any OAuth MCP tool
- MCP server fails with Unauthorized / needs-auth
Debug Log Evidence
[DEBUG] MCP server "slack-mcp": Returning tokens
[DEBUG] MCP server "slack-mcp": Authorization URL: https://slack.com/oauth/v2_user/authorize?...
[DEBUG] MCP server "slack-mcp": Redirection handling is disabled, skipping redirect
[ERROR] MCP server "slack-mcp": HTTP Connection failed: Unauthorized
[DEBUG] MCP server "slack-mcp": Skipping connection (cached needs-auth)
Key line: Redirection handling is disabled, skipping redirect
Root Cause Analysis
The OAuth flow in remote-control mode:
- Reads tokens (possibly from file cache with empty values rather than Keychain)
- Attempts connection -> receives 401
- Tries OAuth redirect flow -> disabled in RC mode -> fails
- Caches needs-auth status -> skips all future attempts
The refresh_token grant (RFC 6749 Section 6) does NOT require a browser. But Claude Code doesn't attempt a token refresh before falling back to the full authorization flow.
Expected Behavior
In remote-control mode, Claude Code should:
- Read valid tokens from Keychain (not just the file cache)
- If accessToken is expired but refreshToken is valid, use grant_type=refresh_token (no browser needed)
- Only require browser-based re-authorization if the refresh token itself is invalid
- Not permanently cache needs-auth when a refresh could resolve it
Related Issues
- #28262 - MCP OAuth tokens not auto-refreshing despite valid refresh tokens
- #30447 - Feature Request for headless remote-control mode
Workaround
Start a normal Claude Code session first to trigger token refresh via browser, then start the RC session while tokens are fresh. Fragile — breaks when tokens expire during the RC session.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗