[FEATURE] Allow configurable OAuth redirect URI (host + path), not just callbackPort, in MCP server definitions
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
Organizations that enforce an exact-match redirect-URI allowlist on a remote MCP server's OAuth flow cannot authenticate from Claude Code.
When Claude Code performs the loopback OAuth flow for an HTTP/SSE MCP server, it builds the redirect URI as:
http://localhost:<port>/callback
Only the port is configurable — via --callback-port, the oauth.callbackPort config field, or the MCP_OAUTH_CALLBACK_PORT env var. The host (localhost) and path (/callback) are hardcoded. There is no way to make Claude Code emit a redirect URI on a different host (e.g. 127.0.0.1) or path (e.g. /mcp/oauth/callback).
If the org's allowlist requires a specific host/path that Claude Code can't produce, authentication is impossible from Claude Code — even though the same MCP server authenticates fine from other clients that allow a fully custom redirect URI.
Proposed Solution
Support a full, user-specified oauth.redirectUri in the MCP server definition, e.g.:
"atlassian": {
"type": "http",
"url": "https://mcp.atlassian.com/v1/mcp",
"oauth": {
"redirectUri": "http://127.0.0.1:19876/mcp/oauth/callback"
}
}
When set, Claude Code would use that exact value as the OAuth redirect_uri and bind its loopback listener to the matching host/port/path.
At minimum, expose the host (127.0.0.1 vs localhost) and callback path as configurable fields alongside the existing callbackPort.
Alternative Solutions
--callback-port/oauth.callbackPort/MCP_OAUTH_CALLBACK_PORT— lets me match the port but not the host or path, so it does not solve the exact-match case.- Asking the org to add Claude Code's
http://localhost:<port>/callbackto the allowlist — not always possible; many orgs maintain a single, fixed, pre-approved redirect URI. - opencode supports a full
oauth.redirectUrifield and authenticates successfully against the same server with the org-mandated URI, which is the behavior being requested here.
Priority
High - Significant impact on productivity
Feature Category
MCP server integration
Use Case Example
- Our org's Atlassian remote MCP (
https://mcp.atlassian.com/v1/mcp) only permits the redirect URIhttp://127.0.0.1:19876/mcp/oauth/callback. - In opencode I set
oauth.redirectUrito that value and OAuth succeeds. - In Claude Code I can set
oauth.callbackPort: 19876, but Claude Code still emitshttp://localhost:19876/callback— wrong host and path — so the auth server rejects the redirect. - With a configurable
oauth.redirectUri, Claude Code would emit the exact allowed URI and authentication would succeed.
Additional Context
- Verified against Claude Code v2.1.169. The loopback redirect is built as
http://localhost:${port}/callback; default port3118. - Configurable knobs found:
--callback-port,oauth.callbackPort,MCP_OAUTH_CALLBACK_PORT. No knob exists for host or path. - Related issues touching the same redirect-URI-mismatch class: #47975, #58091, #58735, #10439, #66508.
- Prior art: opencode's MCP config accepts
oauth.redirectUrifor exactly this scenario.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗