OAuth MCP servers fail in remote-control mode due to disabled redirect handling

Resolved 💬 3 comments Opened Mar 12, 2026 by iwata-shimpe Closed Mar 15, 2026

Summary

When running Claude Code in remote-control mode, all HTTP/OAuth-based MCP servers (Slack, Figma, etc.) fail to authenticate. The OAuth browser redirect flow is intentionally disabled in remote-control mode, and there is no fallback to use refresh_token grants (which don't require a browser).

Environment

  • Claude Code: 2.1.73
  • Platform: macOS (Darwin)
  • MCP servers affected: Any HTTP/OAuth MCP (Slack, Figma, etc.)
  • MCP servers NOT affected: Claude AI-managed MCPs (Notion, Gmail, Calendar), local process MCPs (Backlog, GCP)

Steps to Reproduce

  1. Authenticate OAuth MCP servers normally (e.g., Slack MCP via browser flow)
  2. Start remote-control mode: claude remote-control --name test
  3. Try to use any OAuth MCP tool
  4. MCP server fails with Unauthorized / needs-auth

Debug Log Evidence

[DEBUG] MCP server "slack-mcp": Returning tokens
[DEBUG] MCP server "slack-mcp": Authorization URL: https://slack.com/oauth/v2_user/authorize?...
[DEBUG] MCP server "slack-mcp": Redirection handling is disabled, skipping redirect
[ERROR] MCP server "slack-mcp": HTTP Connection failed: Unauthorized
[DEBUG] MCP server "slack-mcp": Skipping connection (cached needs-auth)

Key line: Redirection handling is disabled, skipping redirect

Root Cause Analysis

The OAuth flow in remote-control mode:

  1. Reads tokens (possibly from file cache with empty values rather than Keychain)
  2. Attempts connection -> receives 401
  3. Tries OAuth redirect flow -> disabled in RC mode -> fails
  4. Caches needs-auth status -> skips all future attempts

The refresh_token grant (RFC 6749 Section 6) does NOT require a browser. But Claude Code doesn't attempt a token refresh before falling back to the full authorization flow.

Expected Behavior

In remote-control mode, Claude Code should:

  1. Read valid tokens from Keychain (not just the file cache)
  2. If accessToken is expired but refreshToken is valid, use grant_type=refresh_token (no browser needed)
  3. Only require browser-based re-authorization if the refresh token itself is invalid
  4. Not permanently cache needs-auth when a refresh could resolve it

Related Issues

  • #28262 - MCP OAuth tokens not auto-refreshing despite valid refresh tokens
  • #30447 - Feature Request for headless remote-control mode

Workaround

Start a normal Claude Code session first to trigger token refresh via browser, then start the RC session while tokens are fresh. Fragile — breaks when tokens expire during the RC session.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗