OAuth login link corrupted with Unicode homoglyphs after session disconnect
Bug: OAuth login link corrupted with Unicode homoglyphs after session disconnect
Environment: Claude Code CLI, macOS (Darwin 25.4.0)
Description
During long-running sessions, the client occasionally disconnects and prompts a re-login via an OAuth link (https://claude.ai/oauth/authorize?...). The generated link is corrupted: several ASCII characters in parameter names/values are replaced with visually-similar Unicode homoglyphs, and stray spaces (encoded as +) are inserted mid-token. This breaks the PKCE flow — clicking the link returns "Richiesta Oauth non valida, parametro code_challenge mancante" (invalid OAuth request, code_challenge parameter missing).
This is recurring, not a one-off.
Example (raw link as received)
https://claude.ai/oauth/authorize?code=true&client_id=9d1c250a-e61b-44d9-88ed-5944d1962f5e&response_type=code&redirect_uri=https4%2F%2Fplatform.claude.+com%2Foauth%2Fcode%2Fcallback&scope=0+rg%3Acreate_api_key+user%3Aprofile+user%3Ainference+user%3Asessions%3Aclaude_code+use1%3Amcp_servers+use%C4%B1%3Afile_upload&code_ch%D0%B0l1eng%D0%B5=m%D0%95W%D0%9C9R7r11WJ39%D0%A5%D0%B5ypunTnnxnwCcYIWwBsuxh_fYIeI&code_challenge_m+ethod=S256&state=x%E2%80%94JhnQzwmn98pv1oZP%E2%80%948%E2%80%94FMOsIaQpM-hkbR4hEuQr5o
Corruption pattern (decoded)
| Fragment | Should be | Corruption |
|---|---|---|
| code_ch%D0%B0l1eng%D0%B5 | code_challenge | Cyrillic а (U+0430), е (U+0435) swapped for Latin a/e; "1" for "l" |
| use1%3Amcp_servers | user%3Amcp_servers | "1" for "r" |
| use%C4%B1%3Afile_upload | user%3Afile_upload | Turkish dotless ı (U+0131) for "r" |
| 0+rg%3Acreate_api_key | org%3Acreate_api_key | "o"→"0" + inserted space splits "org" |
| https4%2F%2Fplatform.claude.+com | https%3A%2F%2Fplatform.claude.com | "%3A" (:) replaced with "4"; inserted space splits domain |
| code_challenge_m+ethod | code_challenge_method | inserted space splits param name |
| state=x%E2%80%94Jhn... | (hyphens expected) | em-dash U+2014 substituted for - throughout |
| code_challenge value itself | — | contains further Cyrillic look-alikes (%D0%95=Е, %D0%9C=М, %D0%A5=Х, %D0%B5=е) mixed into the base64url string |
Single ASCII characters are systematically replaced by visually-similar Unicode codepoints (Cyrillic/Turkish homoglyphs) plus random inserted spaces. The failure is not server-side — the emitted link itself is not the intended byte string.
Expected
A valid, clickable OAuth link that completes the PKCE re-auth flow after a mid-session disconnect.
Actual
Corrupted link → claude.ai rejects it with "invalid OAuth request, code_challenge parameter missing" — login flow cannot be completed via the provided link.
Impact
Recurring during long-running Claude Code sessions; blocks re-authentication after disconnect, forcing workarounds (manual re-login outside the provided link).