[BUG] CIMD redirect_uri validation fails against MCP servers that support DCR (v2.1.81)

Resolved 💬 2 comments Opened Mar 24, 2026 by msekoranja Closed Apr 22, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

After updating to Claude Code 2.1.81, OAuth authentication to my MCP server fails with:

  {                                                                                                                    
    "error": "invalid_request",                        
    "error_description": "Redirect URI 'http://localhost:43661/callback' does not match CIMD redirect_uris.",          
    "state": "-UN_4yvpcta4m_9rqYeVVvHdKs1BV5oXFk-03ij2jgw"
  }                                                                                                                    
 ```                                                    
  This worked correctly in v2.1.80.                                                                                    
                                                       
  Context                                                                                                              
  
  The 2.1.81 release notes state:                                                                                      
                                                       
  ▎ Updated MCP OAuth to support Client ID Metadata Document (CIMD / SEP-991) for servers without Dynamic Client Registration
                                                                                                                       
  However, my MCP server does support DCR. It uses FastMCP's OIDCProxy (which extends OAuthProxy), and OAuthProxy      
  hardcodes ClientRegistrationOptions(enabled=True). The server's /.well-known/oauth-authorization-server metadata
  includes a registration_endpoint.                                                                                    
                                                       
  Since DCR is available, Claude Code should use DCR (which accepts dynamic localhost ports) rather than falling back  
  to CIMD validation.
                                                                                                                       
  Root Cause Analysis                                  

  The CIMD redirect_uris appear to contain fixed URIs, but Claude Code uses a random ephemeral port for the localhost  
  callback (e.g., localhost:43661). This is standard behavior per RFC 8252 (OAuth 2.0 for Native Apps), which requires
  servers to allow any port on loopback redirects. The CIMD validation does not account for this.                      
                                                       
  Two issues:
  1. CIMD is being used despite DCR being available — CIMD should only apply "for servers without Dynamic Client
  Registration"                                                                                                        
  2. CIMD redirect_uri validation doesn't handle dynamic localhost ports — per RFC 8252, native apps use ephemeral
  ports on loopback interfaces                                                                                         
                                                                                                                       
  Environment
                                                                                                                       
  - Claude Code: 2.1.81                                
  - Platform: Linux, WSL2, Windows
  - MCP Server: FastMCP 2.12.4 with OIDCProxy (Azure AD)
  - MCP Python SDK: 1.16.0                                                                                             
  - Auth: Azure AD OAuth via FastMCP's OIDCProxy with DCR enabled (hardcoded)                                          
                                                                                                                       
  Steps to Reproduce                                                                                                   
                                                                                                                       
  1. Set up an MCP server using FastMCP's OIDCProxy (which always enables DCR)                                         
  2. Update Claude Code to 2.1.81
  3. Connect to the MCP server — OAuth flow triggers CIMD validation                                                   
  4. Authentication fails with the redirect_uri mismatch error
                                                                                                                       
  Expected Behavior                                    
                                                                                                                       
  Claude Code should detect that the server supports DCR (via registration_endpoint in OAuth metadata) and use DCR     
  instead of CIMD. If CIMD is used, it should handle dynamic localhost ports per RFC 8252.
                                                                                                                       
  Workaround                                                                                                           
  
  Downgrade to Claude Code 2.1.80: claude update --version 2.1.80                                                      
                                                       

### What Should Happen?

See description above.

### Error Messages/Logs

```shell

Steps to Reproduce

See description above.

Claude Model

None

Is this a regression?

Yes, this worked in a previous version

Last Working Version

2.1.80

Claude Code Version

2.1.81

Platform

Anthropic API

Operating System

Ubuntu/Debian Linux

Terminal/Shell

WSL (Windows Subsystem for Linux)

Additional Information

_No response_

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗