[BUG] MCP OAuth discovery fails with path-based routing - strips application path from discovery URLs

Resolved 💬 6 comments Opened Oct 10, 2025 by 4scottt Closed Jan 15, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

When connecting to an MCP server with OAuth authentication deployed behind path-based routing (e.g., Kubernetes ingress, API gateways, reverse proxies), Claude Code fails to authenticate because it looks for OAuth discovery endpoints at the domain root instead of preserving the application path.

For example, when the MCP endpoint is:
https://api-gateway.example.com/myapp/mcp-server/mcp

Claude Code looks for OAuth discovery at:
https://api-gateway.example.com/.well-known/oauth-authorization-server (404 Not Found)

Instead of the correct path:
https://api-gateway.example.com/myapp/mcp-server/.well-known/oauth-authorization-server

This makes it impossible to use OAuth authentication with MCP servers deployed at application paths, which is a standard enterprise deployment pattern.

What Should Happen?

According to RFC 8414 (OAuth 2.0 Authorization Server Metadata), OAuth discovery should be relative to the authorization server's base URL.

Claude Code should preserve the application path from the MCP endpoint URL when constructing OAuth discovery URLs. If the MCP endpoint is at:
https://api-gateway.example.com/myapp/mcp-server/mcp

The OAuth discovery endpoint should be accessed at:
https://api-gateway.example.com/myapp/mcp-server/.well-known/oauth-authorization-server

This is the path relative to the MCP endpoint and compliant with RFC 8414.

Error Messages/Logs

Error: HTTP 404: Invalid OAuth error response: [
  {
    "code": "invalid_type",
    "expected": "string",
    "received": "undefined",
    "path": ["error"]
  }
]
Raw body: {
  "message": "no route matched with those values",
  "request_id": "..."
}

Steps to Reproduce

  1. Deploy an MCP server with OAuth support at a path-based URL behind an API gateway or Kubernetes ingress:
  1. Implement RFC 8414 OAuth discovery endpoint that returns:

{
"issuer": "https://api-gateway.example.com/myapp/mcp-server",
"authorization_endpoint": "https://api-gateway.example.com/myapp/mcp-server/oauth/login",
"token_endpoint": "https://api-gateway.example.com/myapp/mcp-server/oauth/token",
"response_types_supported": ["code"],
"grant_types_supported": ["authorization_code"]
}

  1. Configure Claude Code to connect:

{
"mcpServers": {
"my-server": {
"type": "http",
"url": "https://api-gateway.example.com/myapp/mcp-server/mcp"
}
}
}

  1. Start Claude Code and attempt to use the MCP server
  1. When prompted for authentication, observe that Claude Code fails with a 404 error

Expected: OAuth discovery succeeds at the correct path-relative endpoint
Actual: OAuth discovery fails because Claude Code looks at the domain root instead of preserving the application path

Workaround: Deploy MCP server at domain root (https://mcp-server.example.com/mcp) - not feasible for shared infrastructure.

Claude Model

Sonnet (default)

Is this a regression?

No, this never worked

Last Working Version

_No response_

Claude Code Version

2.0.13

Platform

AWS Bedrock

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

Technical Root Cause:
The MCP client appears to extract only the hostname from the MCP endpoint URL when constructing OAuth discovery URLs, discarding the application path entirely.

Expected URL construction:
const mcpUrl = "https://api-gateway.example.com/myapp/mcp-server/mcp";
const url = new URL(mcpUrl);
const basePath = url.pathname.replace(/\/mcp$/, '');
const discoveryUrl = ${url.origin}${basePath}/.well-known/oauth-authorization-server;
// Result: "https://api-gateway.example.com/myapp/mcp-server/.well-known/oauth-authorization-server" ✅

Current (buggy) behavior:
const mcpUrl = "https://api-gateway.example.com/myapp/mcp-server/mcp";
const url = new URL(mcpUrl);
const discoveryUrl = ${url.origin}/.well-known/oauth-authorization-server;
// Result: "https://api-gateway.example.com/.well-known/oauth-authorization-server" ❌

Impact:
This bug affects all MCP servers deployed using:

  • Path-based routing in Kubernetes ingress controllers
  • API gateways with path prefixes
  • Reverse proxies with application path routing
  • Any shared infrastructure deployment where the MCP server is not at the domain root

Related Standards:

  • RFC 8414 (OAuth 2.0 Authorization Server Metadata) specifies that discovery should be relative to the authorization server's issuer URL

Related Issues:
This may be related to Issue #7290 (HTTP/SSE MCP Transport Ignores Authentication Headers)

The issue also affects MCP Inspector (browser-based MCP client) with the same path-stripping behavior.

View original on GitHub ↗

This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗