Claude.ai shows 'code: Field required' instead of OAuth denial reason during MCP connector setup

Resolved 💬 3 comments Opened Mar 22, 2026 by darrenhaas Closed Apr 20, 2026

Summary

When an MCP server's OAuth provider denies a user during the authorization flow, Claude.ai does not surface the denial reason. Instead it attempts to exchange a non-existent authorization code, showing the user:

\\\json
{"type":"error","error":{"type":"invalid_request_error","message":"code: Field required"}}
\
\\

Spec violation

RFC 6749 Section 4.1.2.1 — Authorization Error Response

When an authorization server denies the request, it returns \error=access_denied\ with an optional \error_description\ to the redirect URI. The client is responsible for presenting this to the user.

If the resource owner denies the access request or if the request fails for reasons other than a missing or invalid redirection URI, the authorization server informs the client by adding the following parameters to the query component of the redirection URI: - \error\ REQUIRED - \error_description\ OPTIONAL — Human-readable text providing additional information

Claude.ai ignores both parameters. Instead it proceeds to call the token endpoint without an authorization code, resulting in a meaningless "code: Field required" error.

Expected behavior

  1. Authorization server returns \?error=access_denied&error_description=No+account+found\
  2. Client reads \error\ and \error_description\
  3. Client displays the description to the user

Actual behavior

  1. Authorization server returns \?error=access_denied&error_description=No+account+found\
  2. Claude.ai ignores both parameters
  3. Claude.ai calls \/token\ without a \code\
  4. Token endpoint returns an error about missing \code\
  5. User sees raw JSON with no indication of what went wrong or what to do

Steps to reproduce

  1. Configure an MCP server with OAuth (Auth0, Okta, Azure AD, or any OIDC provider)
  2. Provider denies the user with a message (e.g., Auth0 \api.access.deny("No account found")\)
  3. User adds the MCP server as a Claude.ai custom connector
  4. User authenticates, gets denied by the provider
  5. Claude.ai shows "code: Field required" instead of the provider's message

Impact

Every MCP server using OAuth access control. Any identity provider that gates access returns denial reasons via RFC 6749 §4.1.2.1. Claude.ai swallows all of them. This affects both the Connectors Directory servers and custom connectors.

Workaround

Catch the missing code in the MCP server's token endpoint and return a custom error with a help URL. Claude.ai still renders it as raw JSON, but at least the URL is visible.

Happy to help test any fix.

---

Been building in this space a long time. We all want the same thing — MCP that just works for everyone. Happy to help test any fix.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗