[BUG]
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Claude Code CIMD metadata missing application_type: native
Claude Code's Client ID Metadata Document (CIMD) does not declareapplication_type: native. Claude Code is a native application (CLI tool) and its metadata should
reflect this per OpenID Connect Dynamic Client Registration 1.0.
The absence of this field causes
our authorization server to reject Claude Code's authorization requests when
it uses a randomly assigned ephemeral port on a loopback redirect URI.
Claude Code's metadata document declares the following redirect URIs:
http://localhost/callback
http://127.0.0.1/callback
But sends the following (example) redirect url
redirect_uri=http://127.0.0.1:52163/callback
An overly strict authorization server performs exact string matching between the requestedredirect_uri and the registered ones. http://127.0.0.1:52163/callback does not matchhttp://127.0.0.1/callback, so the request is rejected with invalid_redirect_uri.
The authorization server should apply port-agnostic matching for loopback redirect URIs per
RFC 8252 §7.3. This matching is gated on the client declaring application_type: native.
With that field present, http://127.0.0.1:52163/callback correctly matches the registeredhttp://127.0.0.1/callback regardless of port.
While missing the application_type: native property is not strictly dissallowed by the RFC, overly strict enterprise servers that implements OpenID Connect Dynamic Client Registration and gates
RFC 8252 §7.3 loopback port-agnostic matching on application_type: native will reject Claude Code's authorization requests.
This affects all MCP integrations that rely on Claude Code's OAuth flow against such servers.
What Should Happen?
The client metadata should contain application_type: native per the RFC
Error Messages/Logs
Steps to Reproduce
- Have an auth server that blocks loopback port-agnostic matching for non native apps.
- Try and connect to it using CIMD
Claude Model
Not sure / Multiple models
Is this a regression?
No, this never worked
Last Working Version
_No response_
Claude Code Version
2.1.159
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Other
Additional Information
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗