[BUG] OAuth fails with AWS Cognito + AgentCore Gateway: token exchange silently fails due to missing code_challenge_methods_supported
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Claude Code's MCP OAuth flow silently fails when connecting to a remote MCP server (AWS Bedrock AgentCore Gateway) that uses Amazon Cognito as the OIDC provider.
The browser-based authentication succeeds — the user logs in, Cognito redirects back to localhost with an authorization code, and the browser shows "Authentication Successful". However, Claude Code never stores the tokens and continues to show Auth: ✘ not authenticated.
The root cause is that Cognito's /.well-known/openid-configuration does not include the code_challenge_methods_supported field in its discovery metadata, even though Cognito fully supports PKCE with S256 in practice. Claude Code appears to fail silently during or after the token exchange step because of this missing field.
This was previously reported in #13275, which was closed due to inactivity without a fix.
What Should Happen?
Claude Code should successfully complete the OAuth flow with Cognito. Specifically:
- If code_challenge_methods_supported is absent from the OIDC discovery document, Claude Code should still attempt PKCE S256 (many providers support it without advertising it)
- The token exchange should succeed and tokens should be stored
- If the token exchange fails for any reason, Claude Code should display the actual error instead of silently failing
Error Messages/Logs
No error is displayed in the CLI. The /mcp screen shows:
xxxx MCP Server
Status: ✘ needs authentication
Auth: ✘ not authenticated
URL: https://[gateway].gateway.bedrock-agentcore.eu-west-1.amazonaws.com/mcp
The credentials file (~/.claude/.credentials.json) shows the tokens were never saved:
{
"mcpOAuth": {
"xxxx|xxxxxxxxxxxxxxxxx": {
"accessToken": "",
"expiresAt": 0,
"discoveryState": {
"authorizationServerUrl": "https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_xxxxxxxxxx",
"resourceMetadataUrl": "https://[gateway].gateway.bedrock-agentcore.eu-west-1.amazonaws.com/.well-known/oauth-protected-resource"
}
}
}
}
Cognito's OIDC discovery response (note: code_challenge_methods_supported is missing):
{
"authorization_endpoint": "https://[domain].auth.eu-west-1.amazoncognito.com/oauth2/authorize",
"token_endpoint": "https://[domain].auth.eu-west-1.amazoncognito.com/oauth2/token",
"response_types_supported": ["code", "token"],
"scopes_supported": ["openid", "email", "phone", "profile"],
"token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"],
"issuer": "https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_[pool_id]"
}
Steps to Reproduce
- Deploy an MCP server to AWS Bedrock AgentCore Runtime
- Create an AgentCore Gateway with customJWTAuthorizer pointing to a Cognito User Pool's OIDC discovery URL
- Create a Cognito app client with authorization_code grant, a client secret, and http://localhost:8080/callback as a callback URL
- Add the MCP server to Claude Code:
claude mcp add-json "my-server"
'{"type":"http","url":"https://[gateway-url]/mcp","oauth":{"clientId":"[cognito-client-id]","callbackPort":8080,"authServerMetadataUrl":"https://cognito-idp.[region].amazonaws.com/[pool-id]/.well-known/openid-configuration"}}'
--client-secret
- Open Claude Code, go to /mcp, select the server, click "Authenticate"
- Browser opens, user logs in successfully, browser redirects to http://localhost:8080/callback?code=...&state=...
- Browser shows "Authentication Successful"
- Claude Code still shows Auth: ✘ not authenticated
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.78
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
Windows Terminal
Additional Information
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗