[BUG] OAuth redirect_uri uses localhost instead of 127.0.0.1, violating RFC 8252 Section 7.3

Open 💬 10 comments Opened Apr 2, 2026 by alzerid

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Claude Code's OAuth client uses http://localhost:<port>/callback as the redirect URI when authenticating with MCP servers. This violates RFC 8252 Section 7.3, which specifies that native apps MUST use loopback IP literals (127.0.0.1 or ::1), not the localhost hostname.

This matters because the RFC only mandates dynamic port flexibility for loopback IP literals:

The authorization server MUST allow any port to be specified at the time of the request for loopback IP redirect URIs, to accommodate clients that obtain an available ephemeral port from the operating system at the time of the request.

OAuth authorization servers that strictly follow the RFC (including Spring Authorization Server, which is widely used) implement port flexibility only for 127.0.0.1 and ::1 — not for localhost. Since Claude Code uses ephemeral ports (e.g. http://localhost:54738/callback), and localhost does not qualify for dynamic port matching, the redirect URI fails validation.

Real-World Impact

Any OAuth authorization server that strictly implements RFC 8252 will reject Claude Code's redirect URI. Spring Authorization Server's default isLoopbackAddress() implementation, for example, only recognizes 127.0.0.1 and ::1 — not localhost. This means:

  1. Claude Code starts a local HTTP server on an ephemeral port
  2. It sends redirect_uri=http://localhost:54738/callback to the authorization server
  3. The auth server sees localhost, does NOT apply port flexibility (per RFC), and rejects the redirect URI since it doesn't exactly match any registered URI

This breaks MCP OAuth for any organization using an RFC-compliant authorization server. The workaround is to register localhost redirect URIs for every possible port, which is not practical.

Additional Context

  • Previous issue #14079 reported the same problem but was auto-closed due to inactivity — no human evaluation was made
  • The RFC also notes that localhost can resolve to addresses other than the loopback address on some systems, making it a less reliable choice for security-sensitive OAuth flows
  • This affects any MCP server that proxies OAuth to an RFC-compliant authorization server

Expected Behavior

Claude Code should use http://127.0.0.1:<port>/callback (not http://localhost:<port>/callback) for OAuth redirect URIs, per RFC 8252 Section 7.3.

Claude Code Version

2.1.90

Platform

Linux

View original on GitHub ↗

This issue has 10 comments on GitHub. Read the full discussion on GitHub ↗