MCP OAuth with pre-configured oauth.clientId still attempts DCR: 'Incompatible auth server: does not support dynamic client registration' (v2.1.172, Box remote MCP)

Open 💬 1 comment Opened Jun 10, 2026 by sean-S2G

Bug Description

/mcp → Authenticate fails with:

SDK auth failed: Incompatible auth server: does not support dynamic client registration

even though a pre-configured OAuth client (oauth.clientId + client secret + callbackPort) is set for the server, exactly as described in the pre-configured OAuth credentials docs.

This is a post-fix reproduction of #3273 (closed 2026-05-23 with "As of 2.1.30 you can pass an explicit client ID (--client-id) ... If you still see the connection stall after providing a client ID, please open a new issue"). I am on v2.1.172 with the client ID provided, and the auth flow still attempts DCR.

Environment

  • Claude Code v2.1.172 (native install), commit 1b719ca2781a
  • macOS, darwin-arm64 (Darwin 25.5.0)
  • MCP server: Box remote MCP, https://mcp.box.com (streamable HTTP)
  • OAuth provider: Box (https://api.box.com) — supports authorization_code + PKCE (S256), does not implement RFC 7591; there is no registration_endpoint in its RFC 8414 metadata:
$ curl -s https://api.box.com/.well-known/oauth-authorization-server | jq 'keys'
[
  "authorization_endpoint", "code_challenge_methods_supported",
  "grant_types_supported", "issuer", "op_policy_uri", "op_tos_uri",
  "response_types_supported", "revocation_endpoint",
  "revocation_endpoint_auth_methods_supported",
  "service_documentation", "token_endpoint",
  "token_endpoint_auth_methods_supported"
]

The resource metadata discovery works (https://mcp.box.com/.well-known/oauth-protected-resourceauthorization_servers: ["https://api.box.com/"]).

Reproduction

  1. Register an OAuth client with Box (enterprise admin console) with redirect URI http://localhost:5678/callback.
  2. Add the server with pre-configured credentials:
MCP_CLIENT_SECRET='<secret>' claude mcp add-json -s user box \
  '{"type":"http","url":"https://mcp.box.com","oauth":{"clientId":"<client-id>","callbackPort":5678}}' \
  --client-secret
  1. Verify the credentials are registered:
$ claude mcp get box
box:
  Scope: User config (available in all your projects)
  Status: ! Needs authentication
  Type: http
  URL: https://mcp.box.com
  OAuth: client_id configured, client_secret configured, callback_port 5678
  1. Start a fresh Claude Code session (config confirmed loaded — /mcp shows the new URL).
  2. /mcp → select box → Authenticate.

Expected Behavior

With oauth.clientId configured and no registration_endpoint advertised by the authorization server, the OAuth flow should skip dynamic client registration and run the authorization-code + PKCE flow with the pre-configured client, opening the browser at https://account.box.com/api/oauth2/authorize?...&client_id=<client-id>&redirect_uri=http://localhost:5678/callback.

Actual Behavior

Box MCP Server

  Status:           ✘ failed
  Issue:            Incompatible auth server: does not support dynamic client registration
  Auth:             ✘ not authenticated
  URL:              https://mcp.box.com
  Config location:  /Users/<user>/.claude.json

  SDK auth failed: Incompatible auth server: does not support dynamic client registration

Selecting Authenticate produces the same error; no browser window is opened.

Additional Notes

  • Same outcome whether the entry is added via claude mcp add-json ... --client-secret or by editing ~/.claude.json directly.
  • The status line error appears immediately on opening the server detail view (before pressing Authenticate), which matches reports in #3273 that the connection/status path performs DCR discovery unconditionally.
  • Box's own Claude Code integration guide (https://developer.box.com/guides/box-mcp/integrations/claude-code) documents claude mcp add box --transport http https://mcp.box.com, which can never work while this bug exists, since Box has no DCR and Claude Code ignores the pre-configured client in this path.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗