Failed OAuth from Claude.ai

[Kukunin]

First of all, thank you for the great project. I see you recently start it, it's great and super useful. I'm glad I found it, as it solves 100% of my needs.

I'm trying to connect my mcp-postgres to claude.ai as Connected App. My config.json looks like this:

    {
      "version": "v0.0.1-DEV_EDITION_EXPECT_CHANGES",
      "proxy": {
        "baseURL": "xxx",
        "addr": ":8080",
        "name": "Postgres MCP OAuth Proxy",
        "auth": {
          "kind": "oauth",
          "issuer": "xxx",
          "allowedDomains": ["xxx"],
          "allowedOrigins": ["https://claude.ai"],
          "tokenTtl": "24h",
          "storage": "memory",
          "googleClientId": {"$env": "GOOGLE_CLIENT_ID"},
          "googleClientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
          "googleRedirectUri": "xxx",
          "jwtSecret": {"$env": "JWT_SECRET"},
          "encryptionKey": {"$env": "ENCRYPTION_KEY"}
        }
      },
      "mcpServers": {
        "postgres": {
          "transportType": "sse",
          "url": "http://localhost:8000"
        }
      }
    }

I've added my MCP front to claude.ai as "https://my.domain/sse", and click Connect. After redirects I see the error:

{"type":"error","error":{"type":"invalid_request_error","message":"code: Field required"}}

The URL is https://claude.ai/api/mcp/auth_callback?error=invalid_scope&error_description=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed.+The+OAuth+2.0+Client+is+not+allowed+to+request+scope+%27read%27.&state=xxx

From the server logs I see:

| mcp-front time="2025-06-22 05:08:18.595+00:00" level=INFO msg=request component=oauth status=200 duration_ms=0 bytes=602 remote_addr=192.168.237.223:33540 method=GET path=/.well-known/oauth-authorization │
│ -server                                                                                                                                                                                                     │
│ mcp-front time="2025-06-22 05:08:18.862+00:00" level=INFO msg="Register handler called: POST /register"                                                                                                     │
│ mcp-front time="2025-06-22 05:08:18.864+00:00" level=INFO msg="Created client 14Qsj2ERUp0ZSGcoS3iK7nSxUSboEUxx7LtMwCTZ6AM=, redirect_uris: [https://claude.ai/api/mcp/auth_callback], scopes: [claudeai]"   │
│ mcp-front time="2025-06-22 05:08:18.864+00:00" level=INFO msg="Total clients in storage: 1"                                                                                                                 │
│ mcp-front time="2025-06-22 05:08:18.864+00:00" level=INFO msg=request component=oauth path=/register status=201 duration_ms=2 bytes=288 remote_addr=192.168.237.223:33540 method=POST                       │
│ mcp-front time="2025-06-22 05:08:19.076+00:00" level=INFO msg="Authorization request: response_type=code&client_id=xxx%3D&redirect_uri=https%3A%2F%2Fclaude.ai%2Fap │
│ i%2Fmcp%2Fauth_callback&scope=read+write&code_challenge=PJhJADrFMPyUeiMlLPI_KN8B_GDeknPN6sA96E9A_ds&code_challenge_method=S256&state=xxx"                           │
│ mcp-front time="2025-06-22 05:08:19.078+00:00" level=INFO msg="Client ID: xxx=, Requested scopes: read write"                                                       │
│ mcp-front time="2025-06-22 05:08:19.079+00:00" level=INFO msg="Requested redirect_uri: https://claude.ai/api/mcp/auth_callback"                                                                             │
│ mcp-front time="2025-06-22 05:08:19.080+00:00" level=INFO msg="State parameter: 'U9yKAhu4O3BniCW1Ge32eSu6XceMBEPTi6YnURsMf80' (length: 43)"                                                                 │
│ mcp-front time="2025-06-22 05:08:19.080+00:00" level=INFO msg="Client registered redirect URIs: [https://claude.ai/api/mcp/auth_callback]"                                                                  │
│ mcp-front time="2025-06-22 05:08:19.081+00:00" level=ERROR msg="Authorization request error: invalid_scope"                                                                                                 │
│ mcp-front time="2025-06-22 05:08:19.082+00:00" level=INFO msg=request component=oauth method=GET path=/authorize status=303 duration_ms=5 bytes=0 remote_addr=192.168.237.223:44454 query="response_type=co │
│ de&client_id=xxx%3D&redirect_uri=https%3A%2F%2Fclaude.ai%2Fapi%2Fmcp%2Fauth_callback&scope=read+write&code_challenge=xxx&co │
│ de_challenge_method=S256&state=xxx"                                

I noticed that it register application with claudeai scopes, but then requests read+write scope. But I'm not sure how to fix this problem

P.S. I updated the pod, and with inmemory storage, client got reset, second time it worked fine

[dgellow]

Hey @Kukunin! Thanks for opening issues, I wasn't aware others were looking at that project, sorry if some things aren't too well documented or aren't too simple to work with 😅

So, just a simple reset did fix the issue? I don't think I faced that problem before.
I would need to see if I can replicate.

Btw, how are you running mcp-front? Directly from go, or are you using the docker image? Which version are you running? (i.e from which commit, if using the docker image what label/sha do you see?)

[Kukunin]

yes, simple reset helps. For memory storage, at least. I guess it's because Claude sends just claudeai scope, without read/write. But then it requires a token with read/write scope, which is not on the created client. I saw you have a hacky code to insert a dummy claude client if it's not present (because Claude never sends it again), with correct scopes.

I'll research it more.