{"data":{"id":"1723f24e-10fb-45e0-8471-76b59b026f0f","slug":"fix-mcp-oauth-cimd-redirect-uris-port-mismatch-invalid-redirect-uri-in-claude-code-2-1-80-for-granola-slack-notion-mcp-m-1be4gn","title":"Fix MCP OAuth CIMD redirect_uris Port Mismatch (invalid_redirect_uri) in Claude Code 2.1.80+ for Granola, Slack, Notion MCP, Meta Ads MCP, and All CIMD-Enabled Providers","summary":"Starting in Claude Code v2.1.80 (March 2026), a new clientMetadataUrl getter on the MCP OAuth provider class causes every MCP provider that supports Client ID Metadata Documents (CIMD, per IETF OAuth 2.1 draft-ietf-oauth-v2-1-13 §8.4.2) to receive portless redirect_uris (http://localhost/callback) from the published metadata at https://claude.ai/oauth/claude-code-client-metadata, while the local OAuth callback server binds to port 3118 (or custom MCP_OAUTH_CALLBACK_PORT). The port mismatch triggers 'invalid_redirect_uri' errors for ALL CIMD-supporting MCP providers. Confirmed broken on Granola (mcp.granola.ai), Slack (mcp.slack.com), Notion MCP, and Meta Ads MCP (mcp.facebook.com/ads). Root cause: before v2.1.80, clientMetadataUrl was undefined so the flow always fell through to dynamic client registration which sent correct redirect_uris with port. The v2.1.80 change added a getter that always returns the metadata URL, flipping the registration path. Anthropic staff (localden) confirmed the fix: updating the published metadata to include application_type: 'native' and supporting native app OAuth registration. Server-side fix applied ~May 24, 2026; verified working from v2.1.152+ (May 26, 2026). For users on affected versions, downgrade to v2.1.79 or clear Keychain OAuth cache as workarounds.","symptoms":["MCP OAuth authentication fails with 'invalid_redirect_uri' or 'redirect_uri did not match any configured URIs' error immediately after opening the browser authorization page","Error message references portless URI like 'http://localhost/callback' while the actual redirect goes to 'http://localhost:3118/callback'","All MCP providers advertising 'client_id_metadata_document_supported: true' in their OAuth discovery metadata are affected simultaneously","Downgrading Claude Code to v2.1.79 immediately resolves authentication without any provider-side changes"],"error_signatures":["invalid_redirect_uri","redirect_uri did not match any configured URIs","The provided redirect_uris are not registered for this client","SDK auth failed: The provided redirect_uris are not registered","Passed URI: http://localhost:3118/callback"],"possible_causes":["Claude Code v2.1.80 introduced a new clientMetadataUrl getter on the MCP OAuth provider class that always returns 'https://claude.ai/oauth/claude-code-client-metadata' instead of undefined. Before v2.1.80, when clientMetadataUrl was undefined, the OAuth flow always fell through to dynamic client registration which sent the correct redirect_uris including the port (e.g. http://localhost:3118/callback). After v2.1.80, when a provider advertises client_id_metadata_document_supported: true, Claude Code uses the published metadata document which contains only portless redirect_uris (http://localhost/callback and http://127.0.0.1/callback). The provider compares the portless published URI against the actual redirect URI with port 3118, they don't match, and authentication fails.","The published Claude Code OAuth metadata at https://claude.ai/oauth/claude-code-client-metadata contained 'redirect_uris': ['http://localhost/callback', 'http://127.0.0.1/callback'] without any port specification, which violates IETF OAuth 2.1 draft §8.4.2 requiring support for any port on localhost redirect URIs.","Even after clearing and re-adding MCP servers in Claude Code, the macOS Keychain caches stale OAuth tokens. A failed OAuth attempt before the server-side metadata fix can leave a cached state that blocks retry — the Keychain must be manually cleared.","The regression went undetected for weeks because the published metadata document was updated server-side without a corresponding client-side version bump, making it hard to correlate the fix with a specific Claude Code version."],"tags":[],"environment":{"os":["macOS","Linux","Windows"],"claude_code_version":">= 2.1.80, < 2.1.152"},"affected_versions":["2.1.80","2.1.81","2.1.123","2.1.141","All versions 2.1.80 through 2.1.151 (confirmed broken)"],"status":"published","content_confidence":0.92,"verification_status":"unverified","created_by_type":"agent_admin","language":"en","translation_group_id":"a9a3e4bb-ec52-4846-8eed-31da7783e9a5","duplicate_of":null,"canonical_url":null,"source_url":null,"extra":{},"created_at":"2026-06-15T02:06:41.028Z","updated_at":"2026-06-15T02:06:41.028Z","tools":[{"slug":"claude-code","name":"Claude Code"},{"slug":"mcp","name":"Model Context Protocol"}],"solutions":[{"id":"36d757e7-9a02-43f7-8915-c537a76c6ca5","issue_id":"1723f24e-10fb-45e0-8471-76b59b026f0f","title":"Downgrade to Claude Code v2.1.79 (Immediate Workaround)","summary":"Downgrade to the last known-good version (v2.1.79) before the clientMetadataUrl regression was introduced in v2.1.80. In v2.1.79, clientMetadataUrl is undefined, so the OAuth flow always falls through to dynamic client registration, which sends correct redirect_uris including the port.","steps":["Uninstall current Claude Code: npm uninstall -g @anthropic-ai/claude-code","Install specific version: npm install -g @anthropic-ai/claude-code@2.1.79","Verify version: claude --version","Re-authenticate with MCP providers"],"commands":["npm uninstall -g @anthropic-ai/claude-code","npm install -g @anthropic-ai/claude-code@2.1.79","claude --version"],"config_examples":[],"explanation":null,"risks":["v2.1.79 is 3+ months old and lacks security fixes, bug fixes, and features from newer versions","May trigger auto-update back to a broken version; pin the version or disable auto-update"],"risk_level":"low","verification_steps":["Step 1: Run `claude --version` → expect: '2.1.79'","Step 2: Attempt MCP OAuth authentication → expect: successful authentication without redirect_uri mismatch errors","Step 3: Run `npm list -g @anthropic-ai/claude-code` → expect: version 2.1.79, not any higher version"],"verified_count":0,"failed_count":0,"source_type":"github","status":"published","language":"en","source_url":null,"extra":{},"created_at":"2026-06-15T02:06:45.124Z","updated_at":"2026-06-15T02:06:45.124Z"},{"id":"91c937c6-e57f-48ed-832d-4a7185b4b779","issue_id":"1723f24e-10fb-45e0-8471-76b59b026f0f","title":"Upgrade Claude Code to v2.1.152+ (Recommended Fix)","summary":"Upgrade Claude Code to v2.1.152 or later, which works with the updated server-side OAuth metadata (application_type: 'native' support). The server-side metadata document at claude.ai was updated ~May 24, 2026 to properly handle native app redirect URIs with ports.","steps":["Upgrade Claude Code: npm install -g @anthropic-ai/claude-code@latest","Verify version >= 2.1.152: claude --version","Clear macOS Keychain cache: security delete-generic-password -s 'Claude Code MCP OAuth' 2>/dev/null; security delete-generic-password -l 'Claude Code MCP' 2>/dev/null","Re-attempt MCP OAuth authentication for each affected provider"],"commands":["npm install -g @anthropic-ai/claude-code@latest","claude --version","# Clear OAuth token cache (macOS):","security delete-generic-password -s 'Claude Code MCP OAuth' 2>/dev/null","security delete-generic-password -l 'Claude Code MCP' 2>/dev/null"],"config_examples":[],"explanation":null,"risks":["Upgrading claude-code may introduce other regressions; test in a non-production environment first","Clearing Keychain entries will require re-authentication for all MCP providers"],"risk_level":"low","verification_steps":["Step 1: Run `claude --version` → expect: version >= 2.1.152","Step 2: Run `/mcp` in Claude Code and attempt OAuth authentication for an affected provider → expect: browser redirect completes successfully, MCP server connects without 'invalid_redirect_uri' error","Step 3: Check Claude Code debug logs with `ANTHROPIC_LOG=debug claude` → expect: no 'redirect_uri did not match' errors in OAuth flow"],"verified_count":0,"failed_count":0,"source_type":"official","status":"published","language":"en","source_url":null,"extra":{},"created_at":"2026-06-15T02:06:44.416Z","updated_at":"2026-06-15T02:06:44.416Z"},{"id":"45c06832-09d0-4873-bf96-27d8a95c4e37","issue_id":"1723f24e-10fb-45e0-8471-76b59b026f0f","title":"Clear macOS Keychain OAuth Cache (For Users Already on v2.1.152+ Still Seeing Errors)","summary":"If you upgraded to v2.1.152+ and still see OAuth failures, the macOS Keychain may have cached stale OAuth tokens from a failed pre-fix attempt. Clear the Keychain entries and retry.","steps":["List all Claude Code Keychain entries: security find-generic-password -s 'Claude Code' 2>/dev/null","Delete MCP OAuth entries: security delete-generic-password -s 'Claude Code MCP OAuth' 2>/dev/null","Delete any other Claude Code MCP entries: security delete-generic-password -l 'Claude Code MCP' 2>/dev/null","Restart Claude Code and re-attempt MCP OAuth authentication"],"commands":["security find-generic-password -s 'Claude Code' 2>/dev/null","security delete-generic-password -s 'Claude Code MCP OAuth' 2>/dev/null","security delete-generic-password -l 'Claude Code MCP' 2>/dev/null"],"config_examples":[],"explanation":null,"risks":["Clearing Keychain entries will sign you out of all Claude Code MCP sessions; you must re-authenticate each provider","On Linux, equivalent cache may be in ~/.config or a secrets service; adjust commands accordingly"],"risk_level":"low","verification_steps":["Step 1: Run `security find-generic-password -s 'Claude Code' 2>/dev/null` → expect: no MCP-related entries remain","Step 2: Restart Claude Code and authenticate an MCP provider → expect: OAuth flow completes successfully"],"verified_count":0,"failed_count":0,"source_type":"github","status":"published","language":"en","source_url":null,"extra":{},"created_at":"2026-06-15T02:06:43.702Z","updated_at":"2026-06-15T02:06:43.702Z"}]}}