MCP OAuth with pre-configured oauth.clientId still attempts DCR: 'Incompatible auth server: does not support dynamic client registration' (v2.1.172, Box remote MCP)
Bug Description
/mcp → Authenticate fails with:
SDK auth failed: Incompatible auth server: does not support dynamic client registration
even though a pre-configured OAuth client (oauth.clientId + client secret + callbackPort) is set for the server, exactly as described in the pre-configured OAuth credentials docs.
This is a post-fix reproduction of #3273 (closed 2026-05-23 with "As of 2.1.30 you can pass an explicit client ID (--client-id) ... If you still see the connection stall after providing a client ID, please open a new issue"). I am on v2.1.172 with the client ID provided, and the auth flow still attempts DCR.
Environment
- Claude Code v2.1.172 (native install), commit 1b719ca2781a
- macOS, darwin-arm64 (Darwin 25.5.0)
- MCP server: Box remote MCP,
https://mcp.box.com(streamable HTTP) - OAuth provider: Box (
https://api.box.com) — supports authorization_code + PKCE (S256), does not implement RFC 7591; there is noregistration_endpointin its RFC 8414 metadata:
$ curl -s https://api.box.com/.well-known/oauth-authorization-server | jq 'keys'
[
"authorization_endpoint", "code_challenge_methods_supported",
"grant_types_supported", "issuer", "op_policy_uri", "op_tos_uri",
"response_types_supported", "revocation_endpoint",
"revocation_endpoint_auth_methods_supported",
"service_documentation", "token_endpoint",
"token_endpoint_auth_methods_supported"
]
The resource metadata discovery works (https://mcp.box.com/.well-known/oauth-protected-resource → authorization_servers: ["https://api.box.com/"]).
Reproduction
- Register an OAuth client with Box (enterprise admin console) with redirect URI
http://localhost:5678/callback. - Add the server with pre-configured credentials:
MCP_CLIENT_SECRET='<secret>' claude mcp add-json -s user box \
'{"type":"http","url":"https://mcp.box.com","oauth":{"clientId":"<client-id>","callbackPort":5678}}' \
--client-secret
- Verify the credentials are registered:
$ claude mcp get box
box:
Scope: User config (available in all your projects)
Status: ! Needs authentication
Type: http
URL: https://mcp.box.com
OAuth: client_id configured, client_secret configured, callback_port 5678
- Start a fresh Claude Code session (config confirmed loaded —
/mcpshows the new URL). /mcp→ selectbox→ Authenticate.
Expected Behavior
With oauth.clientId configured and no registration_endpoint advertised by the authorization server, the OAuth flow should skip dynamic client registration and run the authorization-code + PKCE flow with the pre-configured client, opening the browser at https://account.box.com/api/oauth2/authorize?...&client_id=<client-id>&redirect_uri=http://localhost:5678/callback.
Actual Behavior
Box MCP Server
Status: ✘ failed
Issue: Incompatible auth server: does not support dynamic client registration
Auth: ✘ not authenticated
URL: https://mcp.box.com
Config location: /Users/<user>/.claude.json
SDK auth failed: Incompatible auth server: does not support dynamic client registration
Selecting Authenticate produces the same error; no browser window is opened.
Additional Notes
- Same outcome whether the entry is added via
claude mcp add-json ... --client-secretor by editing~/.claude.jsondirectly. - The status line error appears immediately on opening the server detail view (before pressing Authenticate), which matches reports in #3273 that the connection/status path performs DCR discovery unconditionally.
- Box's own Claude Code integration guide (https://developer.box.com/guides/box-mcp/integrations/claude-code) documents
claude mcp add box --transport http https://mcp.box.com, which can never work while this bug exists, since Box has no DCR and Claude Code ignores the pre-configured client in this path.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗