HTTP MCP client doesn't follow OAuth authorization redirects, kills session with uncaught Unauthorized
Summary
When an HTTP-transport MCP server requiring OAuth is added to .mcp.json, Claude Code initiates the OAuth flow but logs "Redirection handling is disabled, skipping redirect" and then throws an uncaught Error: Unauthorized from inside the bundled CLI. The exception propagates up and exits the session. After the first crash, a cached needs-auth flag prevents subsequent sessions in the same project from retrying — but every fresh project/worktree without that cache hits the same crash.
This makes the entire class of "remote MCP server via OAuth" effectively unusable on Claude Code today, including Sentry's official hosted MCP at https://mcp.sentry.dev.
Reproduction
- Create a project-level
.mcp.json:
{
"mcpServers": {
"sentry": {
"type": "http",
"url": "https://mcp.sentry.dev/mcp"
}
}
}
- Launch
claudein that project, accept the trust prompt - Within ~1 second of MCP connection, the session crashes silently
- No prompt to complete OAuth in a browser ever appears
- Subsequent launches in the same project show
"Skipping connection (cached needs-auth)"and don't retry — but new worktrees / projects without the cache repeat the crash
Death signature in the MCP cache log
%LOCALAPPDATA%\claude-cli-nodejs\Cache\<project>\mcp-logs-sentry\<timestamp>.jsonl:
{"debug":"Initializing HTTP transport to https://mcp.sentry.dev/mcp"}
{"debug":"No token data found"}
{"debug":"HTTP transport options: {\"url\":\"https://mcp.sentry.dev/mcp\",\"hasAuthProvider\":true,\"timeoutMs\":60000}"}
{"debug":"Starting connection with timeout of 30000ms"}
{"debug":"Saving discovery state (authServer: https://mcp.sentry.dev/)"}
{"debug":"No access token in storage"}
{"debug":"Generated new OAuth state"}
{"debug":"Saving code verifier"}
{"debug":"Authorization URL: https://mcp.sentry.dev/oauth/authorize?response_type=code&client_id=...&code_challenge=...&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A3118%2Fcallback&state=..."}
{"debug":"Scopes in URL: NOT FOUND"}
{"debug":"No scopes available from URL or metadata"}
{"debug":"Redirection handling is disabled, skipping redirect"}
{"debug":"HTTP Connection failed after 1057ms: Unauthorized (code: none, errno: none)"}
{"error":"Error: Unauthorized\n at send (B:/~BUN/root/src/entrypoints/cli.js:892:35837)\n at processTicksAndRejections (native:7:39)"}
{"debug":"Authentication required for HTTP server"}
The local callback server (http://localhost:3118/callback) is set up correctly in the URL, but redirection handling is explicitly disabled before the redirect can fire — so the user's browser never opens, OAuth can never complete, and the connection fails with Unauthorized.
Suggested fix
Either:
- Enable browser-redirect handling for OAuth-based HTTP MCP servers — open the user's default browser to the authorization URL, run the callback server on the configured port, complete the code-for-token exchange, persist the token, then retry the connection. This is what the Sentry MCP and other OAuth-based remote MCPs expect.
- If redirect handling is intentionally disabled for security/sandbox reasons, surface a clear error to the user (e.g., "Sentry MCP requires OAuth authentication. Run
claude mcp authenticate sentryto complete the flow.") and catch theUnauthorizedso it doesn't kill the session. Then provide a separateclaude mcp authenticate <name>subcommand that runs the OAuth flow outside an active session.
The current behavior — silently dying with no UI for the user to complete auth — is the worst of both worlds.
Workaround
Don't use OAuth-based HTTP MCP servers in .mcp.json. Use stdio-transport MCP servers with token-based auth (e.g., npx @sentry/mcp-server --access-token=...) or shell out to the vendor's CLI tools.
Environment
- OS: Windows 11 ARM64 (10.0.26200)
- Shell: PowerShell 7.6.1
- Node: v24.3.0 (logged by the Sentry MCP probe; NOT the Node version used to run Claude Code itself, which is v20.19.2 x64)
- Claude Code: 2.1.132 (auto-updated from 2.1.131 mid-session)
- MCP server tested: Sentry's official hosted MCP at
https://mcp.sentry.dev/mcp
Related
Filed alongside #56938 (the orphaned-plugin autoupdate crash). Both are silent-exit-on-Windows bugs surfaced during the same investigation. Different code paths, related symptom class.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗