Fix MCP OAuth CIMD redirect_uris Port Mismatch (-32000/invalid_redirect_uri) in Claude Code 2.1.80+ for Granola, Slack, and All CIMD-Enabled MCP Providers
Starting in Claude Code v2.1.80, a new clientMetadataUrl getter on the MCP OAuth provider class causes every provider that supports Client ID Metadata Documents (CIMD, per IETF OAuth 2.1 draft-ietf-oauth-v2-1-13 §8.4.2) to receive portless redirect_uris (http://localhost/callback) while the local OAuth callback server binds to port 3118 (or custom MCP_OAUTH_CALLBACK_PORT). This mismatch triggers invalid_redirect_uri errors for ALL CIMD-supporting MCP providers — confirmed for Granola (mcp.granola.ai) and Slack (mcp.slack.com), but affects any provider advertising client_id_metadata_document_supported: true. Root cause identified via binary diffing of cli.js between v2.1.79 (last working) and v2.1.81 (broken). Three solutions: downgrade to v2.1.79, verify via diff diagnostic, and clear the Keychain cache that blocks retry. OAuth 2.1 standard (§8.4.2) explicitly requires allowing any port, making the portless published metadata non-compliant as well.
Symptoms
- OAuth redirect fails with 'redirect_uri did not match any configured URIs' or 'invalid_redirect_uri'
- MCP server authentication fails for providers advertising client_id_metadata_document_supported: true
- Browser opens briefly then shows auth error immediately
- After first failure, subsequent auth attempts skip OAuth flow entirely (keychain caches empty token)
Error signatures
redirect_uri did not match any configured URIs. Passed URI: http://localhost:3118/callback
invalid_redirect_uri
OAuth 2.1 CIMD metadata document contains portless redirect_uris [http://localhost/callback, http://127.0.0.1/callback]
Possible causes
- In v2.1.80, the MCP OAuth provider gained a clientMetadataUrl getter that always returns a value (defaults to https://claude.ai/oauth/claude-code-client-metadata), where previously this property was undefined
- When clientMetadataUrl is defined AND the provider advertises client_id_metadata_document_supported: true, Claude Code uses the published metadata document instead of dynamic client registration — but the published metadata has portless URIs
- The local OAuth callback server binds to port 3118 (or MCP_OAUTH_CALLBACK_PORT), creating a URI mismatch: http://localhost:3118/callback vs http://localhost/callback
- Before v2.1.80, clientMetadataUrl was undefined, so the flow fell through to dynamic client registration which sends the correct redirect_uris WITH port
Solutions
Clear Keychain Cache After OAuth Failure (Enables Retry — Secondary Issue Fix)
When MCP OAuth fails due to the CIMD regression, Claude Code caches an empty accessToken with expiresAt: 0 in the macOS Keychain (separate issue #29934). On subsequent sessions, it sees this cached entry and skips the OAuth flow entirely — the browser never opens again. Clearing this cache allows a fresh auth attempt after the CIMD regression is resolved or when switching providers. This is critical because users cannot even retry auth without this step.
- Identify the Keychain entry: `security find-generic-password -s 'Claude Code'`
- Delete the stale entry: `security delete-generic-password -s 'Claude Code'`
- Confirm deletion: re-run the find command to verify no entry exists
- Restart Claude Code and attempt MCP OAuth authentication again
Commands
security find-generic-password -s 'Claude Code' 2>/dev/null
security delete-generic-password -s 'Claude Code' 2>/dev/null
security find-generic-password -s 'Claude Code' 2>&1
Risks
- Clearing the keychain entry removes ALL cached MCP OAuth tokens — every configured MCP server with OAuth will require re-authentication on next use
- This is a macOS-only workaround; Linux users check ~/.claude/credentials or the equivalent secret store
Verification
- Step 1: Run `security find-generic-password -s 'Claude Code' 2>&1` → expect: either shows valid credentials OR 'The specified item could not be found' after deletion
- Step 2: After clearing, restart Claude Code and run `/mcp` to view server status → expect: affected servers show as 'disconnected' or prompt for re-auth
- Step 3: Connect to an MCP server with OAuth → expect: browser opens for fresh OAuth flow (not silently skipped)
Verify the CIMD Bug via cli.js Diff Between v2.1.79 and v2.1.81 (Diagnostic)
Before applying fixes, confirm the CIMD regression is the root cause by diffing the bundled cli.js between the last working version (2.1.79) and affected versions (≥2.1.80). The key change is the addition of a `get clientMetadataUrl()` getter on the OAuth provider class that was previously undefined. This diagnostic step confirms whether your version is affected and validates the root cause.
- Install both versions: `npm install -g @anthropic-ai/claude-code@2.1.79` and note the cli.js path
- Install affected version: `npm install -g @anthropic-ai/claude-code@2.1.81`
- Search for the clientMetadataUrl getter in each version's cli.js
- Compare: v2.1.79 should NOT contain 'clientMetadataUrl' in the OAuth provider context; v2.1.81 should
- Verify the published CIMD metadata: `curl -s https://claude.ai/oauth/claude-code-client-metadata | python3 -m json.tool` → confirm redirect_uris are portless
Commands
npm install -g @anthropic-ai/claude-code@2.1.79
npm install -g @anthropic-ai/claude-code@2.1.81
grep -c 'clientMetadataUrl' $(which claude) 2>/dev/null || grep -c 'clientMetadataUrl' ~/.nvm/versions/node/*/lib/node_modules/@anthropic-ai/claude-code/cli.js 2>/dev/null
curl -s https://claude.ai/oauth/claude-code-client-metadata | python3 -c "import json,sys; d=json.load(sys.stdin); print(json.dumps(d.get('redirect_uris',[]), indent=2))"Risks
- Installing multiple versions may conflict; uninstall between tests with `npm uninstall -g @anthropic-ai/claude-code`
- grep on the minified cli.js may return false positives — look for the pattern near 'oauth' or 'provider' class context
Verification
- Step 1: Run `grep -c 'clientMetadataUrl' $(npm root -g)/@anthropic-ai/claude-code/cli.js` on v2.1.81 → expect: count > 0 (getter present)
- Step 2: Run same grep on v2.1.79 → expect: count = 0 (getter absent, dynamic registration path used)
- Step 3: Run `curl -s https://claude.ai/oauth/claude-code-client-metadata | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('redirect_uris',[]))"` → expect: shows portless URIs like ['http://localhost/callback', 'http://127.0.0.1/callback']
Downgrade to Claude Code v2.1.79 (Last Known Working Version — Immediate Fix)
The simplest immediate fix is to downgrade to v2.1.79, the last version before the clientMetadataUrl getter was introduced. This bypasses the CIMD code path entirely and restores dynamic client registration with correct redirect_uris that include the port. Confirmed working across multiple community reports.
- Check current version: run `claude --version` to confirm you are on 2.1.80 or later
- Stop all running Claude Code sessions and subprocesses
- Install v2.1.79 via npm: `npm install -g @anthropic-ai/claude-code@2.1.79`
- OR for native/binary install: `curl -fsSL https://claude.ai/install.sh | bash -s 2.1.79`
- Clear the macOS Keychain cache of stale OAuth tokens (prevents the secondary issue of skipped auth attempts)
- Restart Claude Code and retry MCP OAuth authentication for the affected provider
Commands
claude --version
npm install -g @anthropic-ai/claude-code@2.1.79
curl -fsSL https://claude.ai/install.sh | bash -s 2.1.79
security delete-generic-password -s 'Claude Code' 2>/dev/null
npm view @anthropic-ai/claude-code@2.1.79 version
Risks
- Running v2.1.79 means missing security fixes and feature updates from versions 2.1.80+
- npm may require --force if the installed version is newer (use `npm install -g --force @anthropic-ai/claude-code@2.1.79`)
Verification
- Step 1: Run `claude --version` → expect: '2.1.79' (or the version string containing '2.1.79')
- Step 2: Verify npm confirms the version exists: `npm view @anthropic-ai/claude-code@2.1.79 version` → expect: '2.1.79'
- Step 3: Clear keychain: `security delete-generic-password -s 'Claude Code'` → expect: 'password has been deleted' or no error
- Step 4: Attempt MCP OAuth with an affected provider (e.g., Granola at https://mcp-auth.granola.ai) → expect: browser opens, completes auth, no 'invalid_redirect_uri' error
- Step 5: Run `security find-generic-password -s 'Claude Code'` → expect: entry exists with valid credentials (not empty token)
Agent JSON
Canonical machine-readable representation of this issue:
{
"issue_id": "6c7e3608-d845-493c-974a-3d0aef35bca7",
"slug": "fix-mcp-oauth-cimd-redirect-uris-port-mismatch-32000-invalid-redirect-uri-in-claude-code-2-1-80-for-granola-slack-and-al-ddqn8e",
"verification_status": "unverified",
"canonical_json": "https://codekb.dev/v1/issues/fix-mcp-oauth-cimd-redirect-uris-port-mismatch-32000-invalid-redirect-uri-in-claude-code-2-1-80-for-granola-slack-and-al-ddqn8e"
}