Add login --callback-host flag and required client_id in hosted CIMD#272
Merged
Conversation
The hosted client-metadata.json was missing the client_id property, which draft-ietf-oauth-client-id-metadata-document section 4.1 and the MCP authorization spec require to be present and to match the document URL exactly. Spec-compliant authorization servers reject the document without it. Also pin client_id to DEFAULT_CLIENT_METADATA_URL in the existing consistency tests. Fixes #271 https://claude.ai/code/session_01DfrRBieZsA9zumF4UV6XdT
Some authorization servers have pre-registered OAuth clients whose redirect URI was registered with the localhost hostname form rather than the 127.0.0.1 IP literal, and exact redirect URI matching makes mcpc's hardcoded 127.0.0.1 fail against them. The new login flag switches the host used in the redirect URI, restricted to loopback values (127.0.0.1, localhost) so the authorization code can never be redirected off-machine. The callback server still binds only the loopback IP literal per RFC 8252 section 8.3; the flag changes nothing but the URI string. Combining --callback-host localhost with the default hosted CIMD is rejected early with guidance, since the hosted document registers only 127.0.0.1 redirect URIs and the hostname-resolution attack surface of localhost should not be authorized globally for all installs. Also fix the stale --callback-port help text that claimed a port range 13316-13325; the actual default is three fixed ports, now derived from MCPC_OAUTH_CALLBACK_PORTS so it cannot drift again. Fixes #269 https://claude.ai/code/session_01DfrRBieZsA9zumF4UV6XdT
jancurn
changed the title
The five flag-validation cases added to basic/auth-errors pushed that suite past its 180s watchdog budget on the loaded Node CI runner (the suite passed locally and on Bun). Move them to a dedicated basic/login-flags file, which needs no test server and gets its own time budget, restoring auth-errors to its pre-PR runtime. Also normalize --callback-host case-insensitively: URI hosts are case-insensitive per RFC 3986, but redirect_uri matching at the authorization server is an exact string comparison, so LOCALHOST is accepted and lowercased rather than passed through or rejected. Refs #269 https://claude.ai/code/session_01DfrRBieZsA9zumF4UV6XdT
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
mcpc logingets a--callback-hostflag (127.0.0.1default, orlocalhost) so logins work against servers whose pre-registered OAuth client only accepts thehttp://localhost:<port>/callbackredirect URI form. Also adds theclient_idproperty required by the CIMD spec to the hosted client metadata document, which spec-compliant authorization servers otherwise reject.--callback-hostis restricted to loopback values; the callback server still binds only the127.0.0.1IP literal (RFC 8252 §8.3)--callback-host localhostwith the default hosted CIMD fails fast with guidance — the hosted document intentionally registers only127.0.0.1redirect URIs--callback-porthelp text (claimed range 13316–13325; the actual default is three fixed ports, now derived fromMCPC_OAUTH_CALLBACK_PORTS)client_idpinned in unit testsFixes #271
Fixes #269
https://claude.ai/code/session_01DfrRBieZsA9zumF4UV6XdT