Skip to content

Explain OAuth client-registration failures during login (e.g. Figma 403) instead of leaking SDK JSON parse errors#298

Merged
jancurn merged 1 commit into
mainfrom
claude/mcpc-pr-297-review-0x8l21
Jul 4, 2026
Merged

Explain OAuth client-registration failures during login (e.g. Figma 403) instead of leaking SDK JSON parse errors#298
jancurn merged 1 commit into
mainfrom
claude/mcpc-pr-297-review-0x8l21

Conversation

@jancurn

@jancurn jancurn commented Jul 4, 2026

Copy link
Copy Markdown
Member

mcpc login against a server that refuses Dynamic Client Registration (e.g. Figma's remote MCP server, which returns a plain-text 403 Forbidden for clients not on its allow-list) surfaced the SDK's raw parse error (HTTP 403: Invalid OAuth error response: SyntaxError: ... Raw body: Forbidden). Registration-phase failures are now rewritten into actionable guidance pointing at --client-id / --client-metadata-url.

  • Registration phase is detected via the SDK's typed OAuthError plus a reachedAuthorization flag; post-redirect errors pass through unchanged
  • Allow-list wording only for 401/403 or OAuth-coded client rejections; other registration failures (5xx outages, rejected metadata) are reported honestly
  • The server's underlying response stays visible in the message (truncated), since login prints only error.message

Fixes #296, supersedes #297.

https://claude.ai/code/session_01AP2pmUcWvR8rNypXqNEqtk


Generated by Claude Code

Logging in to a server that refuses Dynamic Client Registration (e.g.
Figma's remote MCP server, which 403s any client not on its allow-list
with a plain-text body) surfaced the SDK's raw JSON parse error:

  HTTP 403: Invalid OAuth error response: SyntaxError: Unexpected
  token 'F', "Forbidden" is not valid JSON. Raw body: Forbidden

performOAuthFlow now rewrites registration-phase failures (detected via
the SDK's typed OAuthError plus a reachedAuthorization flag set at the
authorization redirect) into actionable guidance pointing at
--client-id / --client-metadata-url. Allow-list wording is used only
for 401/403 or OAuth-coded client rejections; other registration
failures (5xx outages, rejected metadata) are reported honestly, and
the server's underlying response stays visible in the message.
Post-redirect errors pass through unchanged.

Supersedes #297.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AP2pmUcWvR8rNypXqNEqtk
@jancurn
jancurn merged commit 02cbb92 into main Jul 4, 2026
6 checks passed
@jancurn
jancurn deleted the claude/mcpc-pr-297-review-0x8l21 branch July 4, 2026 21:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Figma MCP doesn't work

3 participants