[BUG] Random local post port for MCP server with OAuth via Asana MCP

Resolved 💬 4 comments Opened Apr 30, 2026 by mimiako Closed May 23, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Summary

When re-authenticating an HTTP MCP server with OAuth, Claude Code generates a random localhost port for redirect_uri instead of honoring the configured callbackPort (set via --callback-port flag and present in .mcp.json). This breaks integrations with OAuth providers that enforce strict redirect URI matching (e.g., Asana V2 MCP).

Related to but distinct from #10439.

Environment

  • Claude Code version: 2.1.123
  • macOS Darwin 25.4.0
  • MCP server: Asana V2 (https://mcp.asana.com/v2/mcp)

Configuration

{
  "mcpServers": {
    "asana": {
      "type": "http",
      "url": "https://mcp.asana.com/v2/mcp",
      "oauth": {
        "clientId": "<redacted>",
        "callbackPort": 8080
      }
    }
  }
}

claude mcp get asana confirms callback_port 8080 is configured. Asana MCP app has http://localhost:8080/callback registered. Port 8080 is verified free (lsof -i :8080 returns nothing).

Steps to reproduce

  1. Register an Asana MCP app with http://localhost:8080/callback as redirect URI
  2. claude mcp add asana --transport http https://mcp.asana.com/v2/mcp --client-id <id> --client-secret --callback-port 8080 -s project
  3. /mcp → authenticate → ✅ initial auth succeeds with port 8080
  4. Next session, /mcp → authenticate again
  5. ❌ Asana error: "The redirect_uri parameter does not match a valid url for the application"

Observed redirect_uri values from re-auth attempts

redirect_uri=http://localhost:62322/callback
redirect_uri=http://localhost:64155/callback

Different random port each time, despite callbackPort: 8080.

What I tried (none worked)

  • Removed and re-added MCP server with explicit --callback-port 8080
  • Deleted ~/.claude/mcp-needs-auth-cache.json
  • Verified port 8080 is free at auth time
  • Verified config via claude mcp get

Expected behavior

Per the docs: "Use --callback-port to fix the port so it matches a pre-registered redirect URI of the form http://localhost:PORT/callback." Claude Code should always bind to that port and send a matching redirect_uri.

Why this matters

Enterprise OAuth providers (Asana, Salesforce, Microsoft) typically require exact redirect URI matching and don't follow RFC 8252's loopback-port-flexibility recommendation. Without callbackPort being honored on re-auth, Claude Code can't maintain authenticated MCP connections to these providers across sessions.

What Should Happen?

Asana MCP requires EXACT match for the callback port and not random ports every single time.

When callbackPort is set in an HTTP MCP server's OAuth config (via
--callback-port flag or in .mcp.json), Claude Code should bind the OAuth
callback listener to that exact port and send a matching
redirect_uri=http://localhost:PORT/callback value to the authorization server
on every auth attempt — including re-auth after token expiry.

Per the official docs: "Use --callback-port to fix the port so it matches a
pre-registered redirect URI of the form http://localhost:PORT/callback."

Initial auth honors this correctly. Subsequent re-auth attempts ignore the
configured callbackPort and use a random ephemeral port instead, breaking the
OAuth flow with any provider that does strict redirect URI matching.

Error Messages/Logs

Browser shows the Asana OAuth error page with this message:
    "Error invalid_request: The `redirect_uri` parameter does not match a valid  
  url for the application."                                                      
                                                                                 
  Captured authorization URLs from two separate re-auth attempts (client_id      
  redacted):                                                
                                                                                 
  Attempt 1:                                                
  https://app.asana.com/-/oauth_authorize?response_type=code&client_id=<redacted>
  &code_challenge=<...>&code_challenge_method=S256&redirect_uri=http%3A%2F%2Floca
  lhost%3A62322%2Fcallback&state=<...>&scope=default&resource=https%3A%2F%2Fmcp.a
  sana.com%2Fv2%2Fmcp                                                            
                                                            
  Attempt 2 (after full cache wipe + fresh re-add):                              
  https://app.asana.com/-/oauth_authorize?response_type=code&client_id=<redacted>
  &code_challenge=<...>&code_challenge_method=S256&redirect_uri=http%3A%2F%2Floca
  lhost%3A64155%2Fcallback&state=<...>&scope=default&resource=https%3A%2F%2Fmcp.a
  sana.com%2Fv2%2Fmcp                                                            
                                                            
  Both show:                                                                     
    redirect_uri=http://localhost:<random-port>/callback
                                                                                 
  Despite `claude mcp get asana` confirming:                                     
    OAuth: client_id configured, client_secret configured, callback_port 8080
                                                                                 
  No errors in Claude Code itself — the `/mcp` command and `/mcp → Authenticate` 
  flow complete normally on the client side. The failure is server-side at Asana,
   because the configured port is not being used in the actual OAuth request.    
                                                            
  Paste each into its matching field. If there's an "Environment" or "Version"   
  field, fill in: Claude Code 2.1.123, macOS Darwin 25.4.0.

Steps to Reproduce

  1. Register an Asana MCP app at https://app.asana.com/0/my-apps with redirect

URI exactly: http://localhost:8080/callback

  • App type: MCP app
  • Uncheck "This is a native or command-line app"
  1. In a terminal, configure environment and add the MCP server:

cd /path/to/project
claude mcp add asana --transport http https://mcp.asana.com/v2/mcp
--client-id <your-asana-client-id> --client-secret --callback-port 8080 -s
project
(paste client secret when prompted)

  1. Verify config: claude mcp get asana confirms callback_port 8080 is set.
  1. Verify port 8080 is free: lsof -i :8080 returns nothing.
  1. Launch Claude Code: claude
  1. Run /mcp → select asana → Authenticate

→ Browser opens to Asana auth page
→ ✅ redirect_uri in URL is http://localhost:8080/callback as expected
→ Click Allow → callback succeeds → asana shows "Connected"

  1. Close Claude Code. Open a new session the next day (or after token expiry).
  1. Run /mcp → select asana → Authenticate again

→ Browser opens to Asana auth page
→ ❌ redirect_uri in URL is http://localhost:<random-port>/callback (e.g.,
62322, 64155 — different each attempt)
→ Asana rejects: "The redirect_uri parameter does not match a valid url
for the application"

  1. Confirmed not fixable client-side via:
  • Removing and re-adding MCP server with explicit --callback-port 8080
  • Deleting ~/.claude/mcp-needs-auth-cache.json
  • Restarting Claude Code
  • Verifying claude mcp get asana still shows callback_port 8080

Claude Model

Opus

Is this a regression?

Yes, this worked in a previous version

Last Working Version

Last working version: Unknown — initial OAuth auth worked correctly on 2.1.123 (yesterday). Re-auth has never worked in any version I've tested. Related issue #10439 (closed as "not planned") was filed against 2.0.27 with similar behavior.

Claude Code Version

2.1.123

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

VS Code integrated terminal

Additional Information

_No response_

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗