[FEATURE] Allow configurable OAuth redirect URI (host + path), not just callbackPort, in MCP server definitions

Open 💬 2 comments Opened Jun 9, 2026 by sergejomon

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

Organizations that enforce an exact-match redirect-URI allowlist on a remote MCP server's OAuth flow cannot authenticate from Claude Code.

When Claude Code performs the loopback OAuth flow for an HTTP/SSE MCP server, it builds the redirect URI as:

http://localhost:<port>/callback

Only the port is configurable — via --callback-port, the oauth.callbackPort config field, or the MCP_OAUTH_CALLBACK_PORT env var. The host (localhost) and path (/callback) are hardcoded. There is no way to make Claude Code emit a redirect URI on a different host (e.g. 127.0.0.1) or path (e.g. /mcp/oauth/callback).

If the org's allowlist requires a specific host/path that Claude Code can't produce, authentication is impossible from Claude Code — even though the same MCP server authenticates fine from other clients that allow a fully custom redirect URI.

Proposed Solution

Support a full, user-specified oauth.redirectUri in the MCP server definition, e.g.:

"atlassian": {
  "type": "http",
  "url": "https://mcp.atlassian.com/v1/mcp",
  "oauth": {
    "redirectUri": "http://127.0.0.1:19876/mcp/oauth/callback"
  }
}

When set, Claude Code would use that exact value as the OAuth redirect_uri and bind its loopback listener to the matching host/port/path.

At minimum, expose the host (127.0.0.1 vs localhost) and callback path as configurable fields alongside the existing callbackPort.

Alternative Solutions

  • --callback-port / oauth.callbackPort / MCP_OAUTH_CALLBACK_PORT — lets me match the port but not the host or path, so it does not solve the exact-match case.
  • Asking the org to add Claude Code's http://localhost:<port>/callback to the allowlist — not always possible; many orgs maintain a single, fixed, pre-approved redirect URI.
  • opencode supports a full oauth.redirectUri field and authenticates successfully against the same server with the org-mandated URI, which is the behavior being requested here.

Priority

High - Significant impact on productivity

Feature Category

MCP server integration

Use Case Example

  1. Our org's Atlassian remote MCP (https://mcp.atlassian.com/v1/mcp) only permits the redirect URI http://127.0.0.1:19876/mcp/oauth/callback.
  2. In opencode I set oauth.redirectUri to that value and OAuth succeeds.
  3. In Claude Code I can set oauth.callbackPort: 19876, but Claude Code still emits http://localhost:19876/callback — wrong host and path — so the auth server rejects the redirect.
  4. With a configurable oauth.redirectUri, Claude Code would emit the exact allowed URI and authentication would succeed.

Additional Context

  • Verified against Claude Code v2.1.169. The loopback redirect is built as http://localhost:${port}/callback; default port 3118.
  • Configurable knobs found: --callback-port, oauth.callbackPort, MCP_OAUTH_CALLBACK_PORT. No knob exists for host or path.
  • Related issues touching the same redirect-URI-mismatch class: #47975, #58091, #58735, #10439, #66508.
  • Prior art: opencode's MCP config accepts oauth.redirectUri for exactly this scenario.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗