[BUG] CIMD redirect_uri validation fails against MCP servers that support DCR (v2.1.81)
Resolved 💬 2 comments Opened Mar 24, 2026 by msekoranja Closed Apr 22, 2026
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
After updating to Claude Code 2.1.81, OAuth authentication to my MCP server fails with:
{
"error": "invalid_request",
"error_description": "Redirect URI 'http://localhost:43661/callback' does not match CIMD redirect_uris.",
"state": "-UN_4yvpcta4m_9rqYeVVvHdKs1BV5oXFk-03ij2jgw"
}
```
This worked correctly in v2.1.80.
Context
The 2.1.81 release notes state:
▎ Updated MCP OAuth to support Client ID Metadata Document (CIMD / SEP-991) for servers without Dynamic Client Registration
However, my MCP server does support DCR. It uses FastMCP's OIDCProxy (which extends OAuthProxy), and OAuthProxy
hardcodes ClientRegistrationOptions(enabled=True). The server's /.well-known/oauth-authorization-server metadata
includes a registration_endpoint.
Since DCR is available, Claude Code should use DCR (which accepts dynamic localhost ports) rather than falling back
to CIMD validation.
Root Cause Analysis
The CIMD redirect_uris appear to contain fixed URIs, but Claude Code uses a random ephemeral port for the localhost
callback (e.g., localhost:43661). This is standard behavior per RFC 8252 (OAuth 2.0 for Native Apps), which requires
servers to allow any port on loopback redirects. The CIMD validation does not account for this.
Two issues:
1. CIMD is being used despite DCR being available — CIMD should only apply "for servers without Dynamic Client
Registration"
2. CIMD redirect_uri validation doesn't handle dynamic localhost ports — per RFC 8252, native apps use ephemeral
ports on loopback interfaces
Environment
- Claude Code: 2.1.81
- Platform: Linux, WSL2, Windows
- MCP Server: FastMCP 2.12.4 with OIDCProxy (Azure AD)
- MCP Python SDK: 1.16.0
- Auth: Azure AD OAuth via FastMCP's OIDCProxy with DCR enabled (hardcoded)
Steps to Reproduce
1. Set up an MCP server using FastMCP's OIDCProxy (which always enables DCR)
2. Update Claude Code to 2.1.81
3. Connect to the MCP server — OAuth flow triggers CIMD validation
4. Authentication fails with the redirect_uri mismatch error
Expected Behavior
Claude Code should detect that the server supports DCR (via registration_endpoint in OAuth metadata) and use DCR
instead of CIMD. If CIMD is used, it should handle dynamic localhost ports per RFC 8252.
Workaround
Downgrade to Claude Code 2.1.80: claude update --version 2.1.80
### What Should Happen?
See description above.
### Error Messages/Logs
```shell
Steps to Reproduce
See description above.
Claude Model
None
Is this a regression?
Yes, this worked in a previous version
Last Working Version
2.1.80
Claude Code Version
2.1.81
Platform
Anthropic API
Operating System
Ubuntu/Debian Linux
Terminal/Shell
WSL (Windows Subsystem for Linux)
Additional Information
_No response_
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗