[BUG] OAuth redirect_uri uses localhost instead of 127.0.0.1, violating RFC 8252 Section 7.3
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Claude Code's OAuth client uses http://localhost:<port>/callback as the redirect URI when authenticating with MCP servers. This violates RFC 8252 Section 7.3, which specifies that native apps MUST use loopback IP literals (127.0.0.1 or ::1), not the localhost hostname.
This matters because the RFC only mandates dynamic port flexibility for loopback IP literals:
The authorization server MUST allow any port to be specified at the time of the request for loopback IP redirect URIs, to accommodate clients that obtain an available ephemeral port from the operating system at the time of the request.
OAuth authorization servers that strictly follow the RFC (including Spring Authorization Server, which is widely used) implement port flexibility only for 127.0.0.1 and ::1 — not for localhost. Since Claude Code uses ephemeral ports (e.g. http://localhost:54738/callback), and localhost does not qualify for dynamic port matching, the redirect URI fails validation.
Real-World Impact
Any OAuth authorization server that strictly implements RFC 8252 will reject Claude Code's redirect URI. Spring Authorization Server's default isLoopbackAddress() implementation, for example, only recognizes 127.0.0.1 and ::1 — not localhost. This means:
- Claude Code starts a local HTTP server on an ephemeral port
- It sends
redirect_uri=http://localhost:54738/callbackto the authorization server - The auth server sees
localhost, does NOT apply port flexibility (per RFC), and rejects the redirect URI since it doesn't exactly match any registered URI
This breaks MCP OAuth for any organization using an RFC-compliant authorization server. The workaround is to register localhost redirect URIs for every possible port, which is not practical.
Additional Context
- Previous issue #14079 reported the same problem but was auto-closed due to inactivity — no human evaluation was made
- The RFC also notes that
localhostcan resolve to addresses other than the loopback address on some systems, making it a less reliable choice for security-sensitive OAuth flows - This affects any MCP server that proxies OAuth to an RFC-compliant authorization server
Expected Behavior
Claude Code should use http://127.0.0.1:<port>/callback (not http://localhost:<port>/callback) for OAuth redirect URIs, per RFC 8252 Section 7.3.
Claude Code Version
2.1.90
Platform
Linux
This issue has 10 comments on GitHub. Read the full discussion on GitHub ↗