[BUG] Claude Code does not work with MCP servers that does not implement Dynamic Client Registration

[dhawalkp]

Environment

• Platform (select one):
  • Anthropic API
  • AWS Bedrock
  • Google Vertex AI
  • Other:
• Claude CLI version: 1.0.41
• Operating System: macOS 14.3

Bug Description

Claude Code fails connecting to MCP server that does not have Dynamic Client Registration implemented. MCP server in this case is behaving as a resource server with a separate OAuth server serving as an Authorization server. As per the latest MCP Auth RFC, the MCP server acting as pure resource server should only implement and publish /.well-known/oauth-protected-resource and this file is not supposed to bear the client_id details. The Client_id and redirect_uri should be part of /.well-known/oauth-authorization-server which is the responsibility of Authorization server (and not MCP servers). The Claude Code should follow below protocol and ideally should succeed.

Steps to Reproduce

1. Configure mcp.json with MCP servers acting only as a resource server. Have a seperate Auth server (i.e.Auth0)
2. Connection fails

Expected Behavior

As per the latest MCP auth spec - https://modelcontextprotocol.io/specification/draft/basic/authorization#authorization-server-discovery

Any authorization servers that do not support Dynamic Client Registration need to provide alternative ways to obtain a client ID (and, if applicable, client credentials). For one of these authorization servers, MCP clients will have to either:

Hardcode a client ID (and, if applicable, client credentials) specifically for the MCP client to use when interacting with that authorization server, or
Present a UI to users that allows them to enter these details, after registering an OAuth client themselves (e.g., through a configuration interface hosted by the server).
Based on above, Claude Code should work with MCP servers that are purely acting as resource servers and not auth servers. The Auth server in my case is Auth0.

Actual Behavior

Based on above, Claude Code should work with MCP servers that are purely acting as resource servers and not auth servers. The Auth server in my case is Auth0.

Additional Context

Logs
[DEBUG] MCP server "custom-mcpserver": No token data found

[DEBUG] MCP server "custom-mcpserver": Using redirect port: 63105

[DEBUG] MCP server "custom-mcpserver": Generated new OAuth state

[DEBUG] MCP server "custom-mcpserver": Starting SDK auth

[DEBUG] MCP server "custom-mcpserver": Server URL: https:///mcp

[DEBUG] MCP server "custom-mcpserve": No client info found

[DEBUG] MCP server "custom-mcpserve": SDK auth error: Error: Dynamic client registration failed: HTTP 403

[lamberttraccard]

Did you find a workaround to this problem? I am facing the same thing.

[mbuotidem]

Depending on what mcp server you're using, you may be able to use mcp-remote's static oauth client info feature as a workaround.

[DigitalEntelechy]

Seems this is low pri... but it take away the easy path on some large MCP's like Github.

[niebloomj]

Facing the same issue with the official slack plugin

[kerim]

Getting this error with the github MCP

[lukens]

Why do Anthropic even provide an official Slack plugin if it doesn't work because of this issue?

[maxsloef-goodfire]

may be related to #18009