[FEATURE] Trigger OAuth authentication immediately after plugin install for HTTP MCP servers

Resolved 💬 3 comments Opened Apr 8, 2026 by blocwave Closed May 22, 2026

Problem

When installing a plugin that uses a remote HTTP MCP server with OAuth (e.g., type: "http" + RFC 9728 auto-discovery), the install and auth are separate steps:

  1. User clicks "Install for you (user scope)"
  2. Plugin installs successfully
  3. User must navigate to /mcp → select the server → click "Authenticate"
  4. OAuth flow triggers (browser opens, user signs in)
  5. Tools become available

Steps 2–3 are unnecessary friction. The user has to leave the install UI, find /mcp, locate the server, and manually trigger auth. Compare this to the Slack plugin experience where auth flows more naturally.

Proposed Solution

For plugins whose .mcp.json declares type: "http" with an oauth block (or whose server returns RFC 9728 metadata on 401), Claude Code should offer to authenticate immediately after install — either:

  • Option A: Add an authUrl or onInstall field to plugin.json that Claude Code opens in the browser right after install
  • Option B: Automatically attempt MCP connection post-install, detect the 401 + WWW-Authenticate header, and trigger the OAuth flow inline — before exiting the plugin marketplace UI
  • Option C: Show an "Authenticate now" button in the install confirmation screen (similar to how /mcp shows it)

Current Workaround

Users must:

  1. Install the plugin
  2. Either use a tool (which triggers 401 → OAuth) or go to /mcp → Authenticate

This works but is confusing for first-time users who see "failed" / "not authenticated" status after a successful install.

Context

  • Affects all remote HTTP MCP plugins with OAuth (not just ours)
  • The .mcp.json oauth.clientId + callbackPort pattern (used by Slack) makes auth deterministic but still requires a separate trigger
  • RFC 9728 auto-discovery works well once triggered — the gap is _when_ it triggers
  • Related: #45219 (install button greyed out for OAuth servers), #42922 (OAuth prompt flooding)

Environment

  • Claude Code CLI
  • Remote HTTP MCP servers with OAuth 2.1 (RFC 9728 + RFC 8414)
  • Tested with custom MCP server deployed on Cloud Run

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗