Issue Station
Sign In
Tools hereToolbox

claude-code - 💡(How to fix) Fix [BUG] Random local post port for MCP server with OAuth via Asana MCP [1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
anthropics/claude-code#55067Fetched 2026-05-01 05:47:05
View on GitHub
Comments
1
Participants
2
Timeline
5
Reactions
0
Author
mimiakomimiako
Participants
m13vm13vmimiakomimiako
Timeline (top)
labeled ×4commented ×1

When re-authenticating an HTTP MCP server with OAuth, Claude Code generates a random localhost port for redirect_uri instead of honoring the configured callbackPort (set via --callback-port flag and present in .mcp.json). This breaks integrations with OAuth providers that enforce strict redirect URI matching (e.g., Asana V2 MCP).

Related to but distinct from #10439.

Error Message

  1. ❌ Asana error: "The redirect_uri parameter does not match a valid url for the application"

Error Messages/Logs

Browser shows the Asana OAuth error page with this message: "Error invalid_request: The redirect_uri parameter does not match a valid

Root Cause

Enterprise OAuth providers (Asana, Salesforce, Microsoft) typically require exact redirect URI matching and don't follow RFC 8252's loopback-port-flexibility recommendation. Without callbackPort being honored on re-auth, Claude Code can't maintain authenticated MCP connections to these providers across sessions.

Code Example

{
  "mcpServers": {
    "asana": {
      "type": "http",
      "url": "https://mcp.asana.com/v2/mcp",
      "oauth": {
        "clientId": "<redacted>",
        "callbackPort": 8080
      }
    }
  }
}

---

redirect_uri=http://localhost:62322/callback
redirect_uri=http://localhost:64155/callback

---

Browser shows the Asana OAuth error page with this message:
    "Error invalid_request: The `redirect_uri` parameter does not match a valid  
  url for the application."                                                      
                                                                                 
  Captured authorization URLs from two separate re-auth attempts (client_id      
  redacted):                                                
                                                                                 
  Attempt 1:                                                
  https://app.asana.com/-/oauth_authorize?response_type=code&client_id=<redacted>
  &code_challenge=<...>&code_challenge_method=S256&redirect_uri=http%3A%2F%2Floca
  lhost%3A62322%2Fcallback&state=<...>&scope=default&resource=https%3A%2F%2Fmcp.a
  sana.com%2Fv2%2Fmcp                                                            
                                                            
  Attempt 2 (after full cache wipe + fresh re-add):                              
  https://app.asana.com/-/oauth_authorize?response_type=code&client_id=<redacted>
  &code_challenge=<...>&code_challenge_method=S256&redirect_uri=http%3A%2F%2Floca
  lhost%3A64155%2Fcallback&state=<...>&scope=default&resource=https%3A%2F%2Fmcp.a
  sana.com%2Fv2%2Fmcp                                                            
                                                            
  Both show:                                                                     
    redirect_uri=http://localhost:<random-port>/callback
                                                                                 
  Despite `claude mcp get asana` confirming:                                     
    OAuth: client_id configured, client_secret configured, callback_port 8080
                                                                                 
  No errors in Claude Code itself — the `/mcp` command and `/mcp → Authenticate` 
  flow complete normally on the client side. The failure is server-side at Asana,
   because the configured port is not being used in the actual OAuth request.    
                                                            
  Paste each into its matching field. If there's an "Environment" or "Version"   
  field, fill in: Claude Code 2.1.123, macOS Darwin 25.4.0.
RAW_BUFFERClick to expand / collapse

Preflight Checklist

  • I have searched existing issues and this hasn't been reported yet
  • This is a single bug report (please file separate reports for different bugs)
  • I am using the latest version of Claude Code

What's Wrong?

Summary

When re-authenticating an HTTP MCP server with OAuth, Claude Code generates a random localhost port for redirect_uri instead of honoring the configured callbackPort (set via --callback-port flag and present in .mcp.json). This breaks integrations with OAuth providers that enforce strict redirect URI matching (e.g., Asana V2 MCP).

Related to but distinct from #10439.

Environment

  • Claude Code version: 2.1.123
  • macOS Darwin 25.4.0
  • MCP server: Asana V2 (https://mcp.asana.com/v2/mcp)

Configuration

{
  "mcpServers": {
    "asana": {
      "type": "http",
      "url": "https://mcp.asana.com/v2/mcp",
      "oauth": {
        "clientId": "<redacted>",
        "callbackPort": 8080
      }
    }
  }
}

claude mcp get asana confirms callback_port 8080 is configured. Asana MCP app has http://localhost:8080/callback registered. Port 8080 is verified free (lsof -i :8080 returns nothing).

Steps to reproduce

  1. Register an Asana MCP app with http://localhost:8080/callback as redirect URI
  2. claude mcp add asana --transport http https://mcp.asana.com/v2/mcp --client-id <id> --client-secret --callback-port 8080 -s project
  3. /mcp → authenticate → ✅ initial auth succeeds with port 8080
  4. Next session, /mcp → authenticate again
  5. ❌ Asana error: "The redirect_uri parameter does not match a valid url for the application"

Observed redirect_uri values from re-auth attempts

redirect_uri=http://localhost:62322/callback
redirect_uri=http://localhost:64155/callback

Different random port each time, despite callbackPort: 8080.

What I tried (none worked)

  • Removed and re-added MCP server with explicit --callback-port 8080
  • Deleted ~/.claude/mcp-needs-auth-cache.json
  • Verified port 8080 is free at auth time
  • Verified config via claude mcp get

Expected behavior

Per the docs: "Use --callback-port to fix the port so it matches a pre-registered redirect URI of the form http://localhost:PORT/callback." Claude Code should always bind to that port and send a matching redirect_uri.

Why this matters

Enterprise OAuth providers (Asana, Salesforce, Microsoft) typically require exact redirect URI matching and don't follow RFC 8252's loopback-port-flexibility recommendation. Without callbackPort being honored on re-auth, Claude Code can't maintain authenticated MCP connections to these providers across sessions.

What Should Happen?

Asana MCP requires EXACT match for the callback port and not random ports every single time.

When callbackPort is set in an HTTP MCP server's OAuth config (via --callback-port flag or in .mcp.json), Claude Code should bind the OAuth callback listener to that exact port and send a matching redirect_uri=http://localhost:PORT/callback value to the authorization server on every auth attempt — including re-auth after token expiry.

Per the official docs: "Use --callback-port to fix the port so it matches a pre-registered redirect URI of the form http://localhost:PORT/callback."

Initial auth honors this correctly. Subsequent re-auth attempts ignore the configured callbackPort and use a random ephemeral port instead, breaking the OAuth flow with any provider that does strict redirect URI matching.

Error Messages/Logs

Browser shows the Asana OAuth error page with this message:
    "Error invalid_request: The `redirect_uri` parameter does not match a valid  
  url for the application."                                                      
                                                                                 
  Captured authorization URLs from two separate re-auth attempts (client_id      
  redacted):                                                
                                                                                 
  Attempt 1:                                                
  https://app.asana.com/-/oauth_authorize?response_type=code&client_id=<redacted>
  &code_challenge=<...>&code_challenge_method=S256&redirect_uri=http%3A%2F%2Floca
  lhost%3A62322%2Fcallback&state=<...>&scope=default&resource=https%3A%2F%2Fmcp.a
  sana.com%2Fv2%2Fmcp                                                            
                                                            
  Attempt 2 (after full cache wipe + fresh re-add):                              
  https://app.asana.com/-/oauth_authorize?response_type=code&client_id=<redacted>
  &code_challenge=<...>&code_challenge_method=S256&redirect_uri=http%3A%2F%2Floca
  lhost%3A64155%2Fcallback&state=<...>&scope=default&resource=https%3A%2F%2Fmcp.a
  sana.com%2Fv2%2Fmcp                                                            
                                                            
  Both show:                                                                     
    redirect_uri=http://localhost:<random-port>/callback
                                                                                 
  Despite `claude mcp get asana` confirming:                                     
    OAuth: client_id configured, client_secret configured, callback_port 8080
                                                                                 
  No errors in Claude Code itself — the `/mcp` command and `/mcp → Authenticate` 
  flow complete normally on the client side. The failure is server-side at Asana,
   because the configured port is not being used in the actual OAuth request.    
                                                            
  Paste each into its matching field. If there's an "Environment" or "Version"   
  field, fill in: Claude Code 2.1.123, macOS Darwin 25.4.0.

Steps to Reproduce

  1. Register an Asana MCP app at https://app.asana.com/0/my-apps with redirect URI exactly: http://localhost:8080/callback

    • App type: MCP app
    • Uncheck "This is a native or command-line app"

  2. In a terminal, configure environment and add the MCP server: cd /path/to/project claude mcp add asana --transport http https://mcp.asana.com/v2/mcp --client-id <your-asana-client-id> --client-secret --callback-port 8080 -s project (paste client secret when prompted)

  3. Verify config: claude mcp get asana confirms callback_port 8080 is set.

  4. Verify port 8080 is free: lsof -i :8080 returns nothing.

  5. Launch Claude Code: claude

  6. Run /mcp → select asana → Authenticate → Browser opens to Asana auth page → ✅ redirect_uri in URL is http://localhost:8080/callback as expected → Click Allow → callback succeeds → asana shows "Connected"

  7. Close Claude Code. Open a new session the next day (or after token expiry).

  8. Run /mcp → select asana → Authenticate again
    → Browser opens to Asana auth page
    → ❌ redirect_uri in URL is http://localhost:<random-port>/callback (e.g.,
    62322, 64155 — different each attempt)
    → Asana rejects: "The redirect_uri parameter does not match a valid url for the application"

  9. Confirmed not fixable client-side via:

    • Removing and re-adding MCP server with explicit --callback-port 8080
    • Deleting ~/.claude/mcp-needs-auth-cache.json
    • Restarting Claude Code
    • Verifying claude mcp get asana still shows callback_port 8080

Claude Model

Opus

Is this a regression?

Yes, this worked in a previous version

Last Working Version

Last working version: Unknown — initial OAuth auth worked correctly on 2.1.123 (yesterday). Re-auth has never worked in any version I've tested. Related issue #10439 (closed as "not planned") was filed against 2.0.27 with similar behavior.

Claude Code Version

2.1.123

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

VS Code integrated terminal

Additional Information

No response

extent analysis

TL;DR

The issue can be fixed by ensuring that Claude Code honors the configured callbackPort for re-authentication attempts, possibly by updating the OAuth callback listener to bind to the specified port.

Guidance

  • Verify that the callbackPort is correctly set in the .mcp.json configuration file and via the --callback-port flag.
  • Check the Claude Code documentation to see if there are any known issues or workarounds related to OAuth re-authentication and callbackPort.
  • Test the re-authentication flow with a different OAuth provider to see if the issue is specific to Asana or a more general problem.
  • Consider filing a bug report or feature request with the Claude Code developers to ensure that the callbackPort is honored for re-authentication attempts.

Example

No code snippet is provided as the issue seems to be related to the configuration and behavior of Claude Code rather than a specific code problem.

Notes

The issue seems to be a regression, as the last working version is unknown, and the problem has been present in at least one previous version (2.0.27). The fact that initial OAuth authentication works correctly, but re-authentication attempts fail, suggests that the problem may be related to how Claude Code handles token expiry and re-authentication.

Recommendation

Apply a workaround by manually configuring the OAuth callback listener to bind to the specified callbackPort or wait for an update from the Claude Code developers that fixes the issue. The reason for this recommendation is that the issue seems to be a bug in Claude Code, and a workaround or fix from the developers is likely necessary to resolve the problem.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

Per the docs: "Use --callback-port to fix the port so it matches a pre-registered redirect URI of the form http://localhost:PORT/callback." Claude Code should always bind to that port and send a matching redirect_uri.

#api#model loading#dependency error#configuration error#environment variable

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

claude-code - 💡(How to fix) Fix [BUG] Random local post port for MCP server with OAuth via Asana MCP [1 comments, 2 participants]