CIMD redirect_uris missing wildcard port breaks OAuth with MCP servers

Resolved 💬 3 comments Opened Mar 30, 2026 by henrysouchien Closed Apr 3, 2026

Problem

Claude Code's CIMD (Client ID Metadata Document) at https://claude.ai/oauth/claude-code-client-metadata lists redirect URIs without port wildcards:

{
    "client_id": "https://claude.ai/oauth/claude-code-client-metadata",
    "redirect_uris": [
        "http://localhost/callback",
        "http://127.0.0.1/callback"
    ]
}

However, Claude Code uses dynamic ports for its OAuth callback server (e.g., http://localhost:8080/callback or http://localhost:60351/callback). When an MCP server validates the redirect URI against the CIMD document, http://localhost:8080/callback does not match http://localhost/callback because no-port defaults to port 80 per RFC.

This causes the OAuth flow to fail with:

{"error":"invalid_request","error_description":"Redirect URI 'http://localhost:8080/callback' does not match CIMD redirect_uris."}

Expected Behavior

The CIMD document should use wildcard ports to match Claude Code's actual callback behavior:

"redirect_uris": [
    "http://localhost:*/callback",
    "http://127.0.0.1:*/callback"
]

This wildcard syntax is supported by the CIMD spec and by FastMCP's redirect_validation.py (_match_port accepts * as a wildcard).

Workaround

Server operators can disable CIMD support so Claude Code falls back to Dynamic Client Registration (DCR), which works because the client registers its own redirect URIs.

Environment

  • Claude Code CLI (latest, installed via npm @anthropic-ai/claude-code)
  • Remote MCP server using FastMCP 3.1.0 with GoogleProvider
  • macOS

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗