[BUG] MCP OAuth: Client does not fall back to OIDC Discovery (/.well-known/openid-configuration) when RFC 8414 metadata returns 404

Resolved 💬 3 comments Opened Mar 31, 2026 by jdereg Closed Apr 3, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Summary

When connecting to an HTTP-type MCP server that uses OAuth2 authentication, the Claude Code MCP client does not fall back to the OpenID
Connect Discovery 1.0 endpoint when the RFC 8414 authorization server metadata endpoint returns 404.

Environment

  • Claude Code (claude.ai/code web app)
  • macOS
  • MCP server using OAuth2/OIDC with a UAA-based identity provider

What Should Happen?

Expected Behavior

Per the MCP spec authorization flow, when /.well-known/oauth-authorization-server returns a non-success response, the client should fall
back to fetching /.well-known/openid-configuration on the same authorization server.

In this case, https://oauth-proxy.internal/.well-known/openid-configuration returns a valid 200 response with all required metadata
(authorization_endpoint, token_endpoint, registration_endpoint, code_challenge_methods_supported, etc.).

Observed Behavior

The client only tries /.well-known/oauth-authorization-server, receives 404, and gives up with:
MCP server "storage-dev": HTTP Connection failed after 283ms: fetch failed
MCP server "storage-dev" TypeError: fetch failed
MCP server "storage-dev": Connection failed after 285ms: fetch failed

The OIDC discovery endpoint is never attempted.

Error Messages/Logs

Steps to Reproduce

Steps to Reproduce

  1. Configure an HTTP MCP server in ~/.claude/.mcp.json:

"storage-dev": {
"type": "http",
"url": "https://example.internal/mcp"
}

  1. The MCP server returns 401 Unauthorized with:

Www-Authenticate: Bearer resource_metadata="https://example.internal/.well-known/oauth-protected-resource"

  1. The client fetches the protected resource metadata, which returns:

{
"resource": "https://example.internal",
"authorization_servers": ["https://oauth-proxy.internal"]
}

  1. The client attempts to fetch https://oauth-proxy.internal/.well-known/oauth-authorization-server → 404 Not Found
  2. The client stops here and fails. It does not attempt the OIDC fallback.

Claude Model

Opus

Is this a regression?

No, this never worked

Last Working Version

_No response_

Claude Code Version

2.1.87

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

iTerm2

Additional Information

The Claude Code MCP client should follow the RFC 8414, specifically, it should also try OpenID Connect Discovery 1.0.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗