[BUG] Random local post port for MCP server with OAuth via Asana MCP
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Summary
When re-authenticating an HTTP MCP server with OAuth, Claude Code generates a random localhost port for redirect_uri instead of honoring the configured callbackPort (set via --callback-port flag and present in .mcp.json). This breaks integrations with OAuth providers that enforce strict redirect URI matching (e.g., Asana V2 MCP).
Related to but distinct from #10439.
Environment
- Claude Code version: 2.1.123
- macOS Darwin 25.4.0
- MCP server: Asana V2 (
https://mcp.asana.com/v2/mcp)
Configuration
{
"mcpServers": {
"asana": {
"type": "http",
"url": "https://mcp.asana.com/v2/mcp",
"oauth": {
"clientId": "<redacted>",
"callbackPort": 8080
}
}
}
}
claude mcp get asana confirms callback_port 8080 is configured. Asana MCP app has http://localhost:8080/callback registered. Port 8080 is verified free (lsof -i :8080 returns nothing).
Steps to reproduce
- Register an Asana MCP app with
http://localhost:8080/callbackas redirect URI claude mcp add asana --transport http https://mcp.asana.com/v2/mcp --client-id <id> --client-secret --callback-port 8080 -s project/mcp→ authenticate → ✅ initial auth succeeds with port 8080- Next session,
/mcp→ authenticate again - ❌ Asana error: "The
redirect_uriparameter does not match a valid url for the application"
Observed redirect_uri values from re-auth attempts
redirect_uri=http://localhost:62322/callback
redirect_uri=http://localhost:64155/callback
Different random port each time, despite callbackPort: 8080.
What I tried (none worked)
- Removed and re-added MCP server with explicit
--callback-port 8080 - Deleted
~/.claude/mcp-needs-auth-cache.json - Verified port 8080 is free at auth time
- Verified config via
claude mcp get
Expected behavior
Per the docs: "Use --callback-port to fix the port so it matches a pre-registered redirect URI of the form http://localhost:PORT/callback." Claude Code should always bind to that port and send a matching redirect_uri.
Why this matters
Enterprise OAuth providers (Asana, Salesforce, Microsoft) typically require exact redirect URI matching and don't follow RFC 8252's loopback-port-flexibility recommendation. Without callbackPort being honored on re-auth, Claude Code can't maintain authenticated MCP connections to these providers across sessions.
What Should Happen?
Asana MCP requires EXACT match for the callback port and not random ports every single time.
When callbackPort is set in an HTTP MCP server's OAuth config (via
--callback-port flag or in .mcp.json), Claude Code should bind the OAuth
callback listener to that exact port and send a matching
redirect_uri=http://localhost:PORT/callback value to the authorization server
on every auth attempt — including re-auth after token expiry.
Per the official docs: "Use --callback-port to fix the port so it matches a
pre-registered redirect URI of the form http://localhost:PORT/callback."
Initial auth honors this correctly. Subsequent re-auth attempts ignore the
configured callbackPort and use a random ephemeral port instead, breaking the
OAuth flow with any provider that does strict redirect URI matching.
Error Messages/Logs
Browser shows the Asana OAuth error page with this message:
"Error invalid_request: The `redirect_uri` parameter does not match a valid
url for the application."
Captured authorization URLs from two separate re-auth attempts (client_id
redacted):
Attempt 1:
https://app.asana.com/-/oauth_authorize?response_type=code&client_id=<redacted>
&code_challenge=<...>&code_challenge_method=S256&redirect_uri=http%3A%2F%2Floca
lhost%3A62322%2Fcallback&state=<...>&scope=default&resource=https%3A%2F%2Fmcp.a
sana.com%2Fv2%2Fmcp
Attempt 2 (after full cache wipe + fresh re-add):
https://app.asana.com/-/oauth_authorize?response_type=code&client_id=<redacted>
&code_challenge=<...>&code_challenge_method=S256&redirect_uri=http%3A%2F%2Floca
lhost%3A64155%2Fcallback&state=<...>&scope=default&resource=https%3A%2F%2Fmcp.a
sana.com%2Fv2%2Fmcp
Both show:
redirect_uri=http://localhost:<random-port>/callback
Despite `claude mcp get asana` confirming:
OAuth: client_id configured, client_secret configured, callback_port 8080
No errors in Claude Code itself — the `/mcp` command and `/mcp → Authenticate`
flow complete normally on the client side. The failure is server-side at Asana,
because the configured port is not being used in the actual OAuth request.
Paste each into its matching field. If there's an "Environment" or "Version"
field, fill in: Claude Code 2.1.123, macOS Darwin 25.4.0.
Steps to Reproduce
- Register an Asana MCP app at https://app.asana.com/0/my-apps with redirect
URI exactly: http://localhost:8080/callback
- App type: MCP app
- Uncheck "This is a native or command-line app"
- In a terminal, configure environment and add the MCP server:
cd /path/to/project
claude mcp add asana --transport http https://mcp.asana.com/v2/mcp
--client-id <your-asana-client-id> --client-secret --callback-port 8080 -s
project
(paste client secret when prompted)
- Verify config:
claude mcp get asanaconfirmscallback_port 8080is set.
- Verify port 8080 is free:
lsof -i :8080returns nothing.
- Launch Claude Code:
claude
- Run
/mcp→ select asana → Authenticate
→ Browser opens to Asana auth page
→ ✅ redirect_uri in URL is http://localhost:8080/callback as expected
→ Click Allow → callback succeeds → asana shows "Connected"
- Close Claude Code. Open a new session the next day (or after token expiry).
- Run
/mcp→ select asana → Authenticate again
→ Browser opens to Asana auth page
→ ❌ redirect_uri in URL is http://localhost:<random-port>/callback (e.g.,
62322, 64155 — different each attempt)
→ Asana rejects: "The redirect_uri parameter does not match a valid url
for the application"
- Confirmed not fixable client-side via:
- Removing and re-adding MCP server with explicit
--callback-port 8080 - Deleting
~/.claude/mcp-needs-auth-cache.json - Restarting Claude Code
- Verifying
claude mcp get asanastill showscallback_port 8080
Claude Model
Opus
Is this a regression?
Yes, this worked in a previous version
Last Working Version
Last working version: Unknown — initial OAuth auth worked correctly on 2.1.123 (yesterday). Re-auth has never worked in any version I've tested. Related issue #10439 (closed as "not planned") was filed against 2.0.27 with similar behavior.
Claude Code Version
2.1.123
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
VS Code integrated terminal
Additional Information
_No response_
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗