[BUG] Claude Code MCP client ignores scopes_supported from OAuth protected resource metadata, preventing refresh token issuance
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Claude Code's MCP client fails to include OAuth scopes in authorization requests, even when the MCP server correctly provides scopes_supported in the OAuth protected resource metadata. This results in authorization requests without the offline_access scope, preventing refresh token issuance and causing authentication timeouts every 5 minutes.
What Should Happen?
Expected Behavior:
- Claude Code should read scopes_supported from the MCP server's /.well-known/oauth-protected-resource endpoint
- Include those scopes in OAuth authorization requests
- Receive refresh tokens when offline_access scope is supported
- Automatically refresh tokens to maintain persistent authentication
Error Messages/Logs
Debug Logs:
[DEBUG] MCP server "basic-memory": Fetched OAuth metadata with scope: NONE
[DEBUG] MCP server "basic-memory": Scopes in URL: NOT FOUND
[DEBUG] MCP server "basic-memory": No scopes available from URL or metadata
[DEBUG] MCP server "basic-memory": ERROR: No scopes stored to add to token request!
[DEBUG] MCP server "basic-memory": Has refresh token: false
[DEBUG] MCP server "basic-memory": Token expires in: 300
Steps to Reproduce
Actual Behavior:
- Claude Code fetches OAuth metadata but logs "Fetched OAuth metadata with scope: NONE"
- Authorization URLs are generated without any scope parameter
- OAuth authorization requests exclude the offline_access scope
- No refresh tokens are issued, causing re-authentication every 5 minutes
Reproduction Steps:
- Set up an MCP server with OAuth using WorkOS AuthKit (or similar provider)
- Configure the server to return scopes_supported: ["openid", "profile", "email", "offline_access"] in /.well-known/oauth-protected-resource
- Connect to the MCP server via Claude Code with debug logging enabled
- Observe the authorization URL in debug logs - it will be missing the scope parameter
Correct OAuth Protected Resource Metadata:
{
"resource": "https://mcp.basicmemory.com/mcp",
"authorization_servers": ["https://eloquent-lotus-05.authkit.app/"],
"scopes_supported": ["openid", "profile", "email", "offline_access"],
"bearer_methods_supported": ["header"]
}
Environment:
- Claude Code version: 1.0.117
- Platform: macOS (also affects other platforms)
- MCP server: WorkOS AuthKit with Dynamic Client Registration
Impact:
- High: Prevents extended MCP usage sessions
- Users must manually re-authenticate every 5 minutes
- Makes MCP servers with OAuth authentication practically unusable for development work
Comparison with Other Claude Clients:
- Claude Desktop, Web, and Mobile handle OAuth refresh tokens correctly with the same MCP server
- Only Claude Code exhibits this issue, suggesting a client-specific OAuth implementation problem
Technical Details:
The issue appears to be in Claude Code's MCP OAuth client implementation where it's not properly parsing or using the scopes_supported field from the OAuth
protected resource metadata when constructing authorization requests.
Workaround:
None available. Users must manually re-authenticate every 5 minutes.
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
Claude Code v1.0.117
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
PyCharm terminal
Additional Information
_No response_
21 Comments
Found 3 possible duplicate issues:
This issue will be automatically closed as a duplicate in 3 days.
🤖 Generated with Claude Code
This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.
This is still an issue
Still an issue
Still an issue
still an issue
still an issue
still an issue
This should be a very high priority bug
still an issue
Was it fixed in v2.1.63? https://github.com/anthropics/claude-code/issues/5706#issuecomment-3987593079
Still an issue on v2.1.81 (macOS) — but with a twist: refresh token IS present, just not used across sessions
I'm hitting frequent re-authentication with the official Slack MCP plugin. Every new Claude Code session requires a browser OAuth flow, even though valid tokens exist in the Keychain.
Key finding: unlike the original report where no refresh token was issued, my Keychain entry (
Claude Code-credentials→mcpOAuth) does contain both anaccessTokenand arefreshTokenfor Slack:So it seems like Slack's MCP server is now issuing refresh tokens (possibly the scopes issue was fixed on their end), but Claude Code isn't using the refresh token to silently renew the access token on session start. Instead it prompts for a full re-auth.
Environment:
Claude Code-credentials)This suggests the scope of this bug may have shifted — even when
offline_access/ refresh tokens are available, the MCP OAuth client isn't consuming them correctly on session restart.Still an issue
If you need
offline_accessor custom scopes that Claude Code doesn't send, mcp-stdio can act as a stdio bridge with its own OAuth 2.1 client. It handles RFC 9728/8414 discovery, PKCE, and token refresh independently from Claude Code.Tokens are persisted in
~/.mcp-stdio/tokens.jsonand refreshed automatically on 401, so re-authentication shouldn't be needed until the refresh token itself expires.Still an issue
I am really frustrated with this one, we are waiting months for fix for something so simple, in order to use CC in our company with our company MCP - we must support this basic capability of AOuth.
Why is it taking so long to fix it?? other vendors have it, we eventually will give up on Claude Code/Desktop for them, why this isn't fix/prioritized guys?
Any updates?
+1, Still an issue, besides ignoring the Scopes Suppoted, the Authorization Servers are also ignored.
Still an issue +1
FYI.
https://code.claude.com/docs/en/mcp#restrict-oauth-scopes
Thank you for taking the time to report this.
We're currently triaging open MCP issues, and this one is being closed in favor of tracking it in #4540, which covers the OAuth client omitting the
scopeparameter from the authorization request even whenscopes_supportedis advertised in the protected resource discovery metadata. Please follow that issue for updates and feel free to add any additional context there.The refresh token consumption behavior raised later in this thread is a separate code path; if you are hitting that specifically, please open a fresh issue so it does not get lost under the scope discussion.