Skip to content

fix(auth): allow-any redirect fallback broken by MCP SDK ≥1.29#37

Merged
freema merged 2 commits into
mainfrom
fix/redirect-uri-validation-sdk-129
Jul 3, 2026
Merged

fix(auth): allow-any redirect fallback broken by MCP SDK ≥1.29#37
freema merged 2 commits into
mainfrom
fix/redirect-uri-validation-sdk-129

Conversation

@freema

@freema freema commented Jul 3, 2026

Copy link
Copy Markdown
Owner

Fixes #36

Problem

With MCP_REDIRECT_URIS unset (the documented allow-any default), every Claude.ai OAuth attempt fails with invalid_request / Unregistered redirect_uri on fresh installs.

The allow-any fallback was a Proxy faking only Array.prototype.includes(). MCP SDK 1.29 switched the authorize handler's membership check to .some(redirectUriMatches), which iterates the empty backing array — so the fallback silently rejected everything. npx openclaw-mcp@latest resolves the ^1.x SDK range fresh (ignoring our lockfile, which pinned 1.25.3), so production installs broke while CI stayed green.

Changes

  • src/auth/provider.ts — replace the Proxy with an Array subclass overriding both includes() (SDK ≤1.28) and some() (SDK ≥1.29). The backing list stays empty, so an omitted redirect_uri now yields a clean validation error instead of a redirect to undefined.
  • package.json — bump @modelcontextprotocol/sdk floor to ^1.29.0 so CI runs against what fresh installs actually resolve.
  • Tests — regression coverage through the real SDK router: claude.ai callback (https://claude.ai/api/mcp/auth_callback) against the allow-any default, plus positive/negative coverage for an explicit MCP_REDIRECT_URIS allow-list. Verified the old Proxy fails these tests against SDK 1.29 (400 instead of 302 — exactly the production symptom).
  • Docs.env.example showed https://claude.ai/oauth/callback as the MCP_REDIRECT_URIS example, which is not Claude's real callback and would itself lock Claude.ai out; corrected everywhere and added a troubleshooting entry for Unregistered redirect_uri.

Compatibility

No behavior change for existing configurations:

  • explicit MCP_REDIRECT_URIS allow-lists validate exactly as before
  • DCR clients register real redirect URI arrays — untouched
  • allow-any default works again on both old and new SDK generations

Test plan

  • 152/152 unit + integration tests pass (SDK 1.29.0)
  • Old implementation fails the new regression tests with the exact production symptom
  • lint, typecheck, build, format:check clean

freema added 2 commits July 3, 2026 16:22
The allow-any redirect_uri fallback (used when MCP_REDIRECT_URIS is not
set) was implemented as a Proxy faking only Array.prototype.includes().
SDK 1.29 changed the authorize handler's membership check from
.includes() to .some(redirectUriMatches), which iterates the empty
backing array — so every authorization request failed with 400
'Unregistered redirect_uri' (hit by claude.ai connectors on fresh
'npx openclaw-mcp@latest' installs, which resolve the ^1.x SDK range
to 1.29+ regardless of our lockfile).

- Replace the Proxy with an Array subclass overriding both includes()
  and some(), covering SDK <=1.28 and >=1.29 membership checks
- Keep the backing list empty so an omitted redirect_uri now yields a
  clean validation error instead of a redirect to 'undefined'
- Bump @modelcontextprotocol/sdk to ^1.29.0 so CI tests run against
  the SDK that fresh installs actually resolve
- Add regression tests: claude.ai callback against the allow-any
  default, plus positive/negative coverage for an explicit
  MCP_REDIRECT_URIS allow-list
…ct_uri troubleshooting

The MCP_REDIRECT_URIS example in .env.example pointed to
https://claude.ai/oauth/callback, which is not the callback Claude.ai
actually uses — anyone copying it would lock Claude.ai out. The real
callback is https://claude.ai/api/mcp/auth_callback (claude.com
variant included).

- Fix the example URI in .env.example and recommend it in README,
  configuration.md, and the deployment security checklist
- Add a redirect-URI allow-list section to configuration.md (exact
  matching, RFC 8252 loopback port relaxation)
- Add a troubleshooting entry for 'Unregistered redirect_uri' covering
  both the wrong-URI case and the SDK 1.29 allow-any regression in
  bridge <=1.5.0
- Pass TRUST_PROXY through the deployment compose example and sample .env
@freema
freema merged commit 8a8da85 into main Jul 3, 2026
6 checks passed
@freema
freema deleted the fix/redirect-uri-validation-sdk-129 branch July 3, 2026 16:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Claude.ai OAuth fails with "Unregistered redirect_uri" when MCP_REDIRECT_URIS is unset (MCP SDK ≥1.29 regression)

1 participant