Skip to content

bug: OAuth uses wrong authorization URL and missing redirectUri config #5766

New issue
New issue
Open
#5940
Open
bug: OAuth uses wrong authorization URL and missing redirectUri config#5766
#5940
Assignees
rekram1-node
Labels
bugSomething isn't working
@christso

Description

@christso
christso
opened on Dec 18, 2025

Problem

MCP OAuth fails with enterprise auth servers (Keycloak, Azure AD, Okta) due to two issues:

1. Wrong authorization URL (SDK bug)

MCP SDK 1.15.1 incorrectly constructs the authorization URL by appending /authorize to the issuer URL instead of using authorization_endpoint from OAuth metadata.

# Expected (from .well-known/openid-configuration):
https://idp.example.com/realms/mcp/protocol/openid-connect/auth

# Actual (SDK 1.15.1):
https://idp.example.com/authorize

This causes the browser to redirect to a non-existent endpoint.

2. No redirect URI configuration

OAuth servers validate that the redirect URI exactly matches a pre-registered URI. OpenCode hardcodes http://127.0.0.1:19876/mcp/oauth/callback, which may not be registered on the OAuth server.

Users cannot configure a custom redirect URI to match what's registered (e.g., Claude Code's http://localhost:41842/callback).

Reproduction Steps

KeyCloak

  1. Configure an MCP server with OAuth in opencode.json:

    "mcp": {
  "example-mcp-server": {
    "type": "remote",
    "url": "https://your-mcp-server.com",
    "oauth": {
      "clientId": "your-client-id",
      "scope": "openid profile email"
    }
  }
}

  2. Run the auth command:

    opencode mcp auth example-mcp-server

  3. Browser opens and navigates to the authorization URL

  4. Result: "Page not found" error because the SDK constructs the wrong URL (/authorize instead of the actual authorization_endpoint from OAuth discovery)

Image

GitHub MCP

I observed similar behaviour with GitHub MCP.

  1. Create an OpenCode OAuth app in Developer settings

  2. Add GitHub MCP to .config/opencode.json:

    {
  "$schema": "https://opencode.ai/config.json",
  "mcp": {
    "github": {
      "type": "remote",
      "url": "https://api.githubcopilot.com/mcp/",
      "enabled": true,
      "oauth": {
        "clientId": "your-client-id",
        "clientSecret": "your-client-secret"
      }
    }
  }
}

  3. Run the auth command:

    opencode mcp auth github

  4. Result: The SDK constructs the wrong URL (/authorize instead of the actual authorization_endpoint from OAuth discovery). Note: The URL github.com/authorize actually points to the github user "authorize".

Image

Solution

  1. Upgrade MCP SDK to 1.25.1+ which correctly reads authorization_endpoint
  2. Add redirectUri config so users can specify the callback URL

User Configuration

This is a typical configuration for KeyCloak that impersonates Claude Code:

"mcp": {
  "<server-name>": {
    "type": "remote",
    "url": "https://<your-mcp-server>",
    "oauth": {
      "clientId": "f637990b-e806-402b-9652-2eac0ae05840",
      "redirectUri": "http://localhost:41842/callback",
      "scope": "openid profile email"
    }
  }
}

Explanation

  1. If I upgrade MCP SDK from 1.15.1 to 1.25.1+, it constructs the correct path for KeyCloak.
Image
  1. The MCP SDK upgrade will also fix GitHub MCP OAuth because it will resolve to the correct URL: github.com/login/oauth/authorize.
Image
  1. However, KeyCloak also validates the callback URL (currently many enterprise systems match the callback URL pattern for VS Code and Claude Code, not Open Code). If I set the redirectUri to impersonate Claude Code, the authentication is successful.
Image

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions