fix(auth): explain OAuth client-registration failures (e.g. Figma 403) instead of leaking SDK JSON parse errors#297
Closed
az-catch wants to merge 1 commit into
Closed
Conversation
…ing SDK JSON parse errors When a server refuses Dynamic Client Registration, the MCP SDK surfaces an opaque error. Figma's remote MCP server is the clearest example: its registration endpoint (https://api.figma.com/v1/oauth/mcp/register) returns a bare `403 Forbidden` for any client not on its approved allow-list, and because that body is not JSON the SDK reports: HTTP 403: Invalid OAuth error response: SyntaxError: Unexpected token 'F', "Forbidden" is not valid JSON. Raw body: Forbidden That leaves the user with no idea what went wrong or what to do next, and retrying/re-authenticating cannot help. Detect registration-phase failures (403/401, malformed non-JSON OAuth error, or a missing registration_endpoint) that occur before the authorization redirect and replace them with actionable guidance: supply a pre-registered client via --client-id/--client-secret or a custom CIMD via --client-metadata-url, and check whether the provider allow-lists clients. Failures after the authorization redirect (token exchange, cancellation, network) are passed through unchanged. Adds unit tests covering the Figma 403 case, the no-registration-endpoint case, bare Forbidden, post-authorization pass-through, and unrelated-error pass-through.
jancurn
added a commit
that referenced
this pull request
Jul 4, 2026
…03) instead of leaking SDK JSON parse errors (#298) `mcpc login` against a server that refuses Dynamic Client Registration (e.g. Figma's remote MCP server, which returns a plain-text `403 Forbidden` for clients not on its allow-list) surfaced the SDK's raw parse error (`HTTP 403: Invalid OAuth error response: SyntaxError: ... Raw body: Forbidden`). Registration-phase failures are now rewritten into actionable guidance pointing at `--client-id` / `--client-metadata-url`. - Registration phase is detected via the SDK's typed `OAuthError` plus a `reachedAuthorization` flag; post-redirect errors pass through unchanged - Allow-list wording only for 401/403 or OAuth-coded client rejections; other registration failures (5xx outages, rejected metadata) are reported honestly - The server's underlying response stays visible in the message (truncated), since `login` prints only `error.message` Fixes #296, supersedes #297. https://claude.ai/code/session_01AP2pmUcWvR8rNypXqNEqtk --- _Generated by [Claude Code](https://claude.ai/code/session_01AP2pmUcWvR8rNypXqNEqtk)_ Co-authored-by: Claude <noreply@anthropic.com>
Member
|
Thanks for this PR — the root-cause analysis was spot on and shaped the final fix. We reimplemented it in #298 rather than merging because review found issues in the detection approach:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Logging in to a server that refuses Dynamic Client Registration (DCR) produces a cryptic, non-actionable error. Figma's remote MCP server is the clearest reproduction —
mcpc login https://mcp.figma.com/mcpfails with:Root cause (confirmed against the live server)
https://api.figma.com, whose metadata advertisesregistration_endpoint: https://api.figma.com/v1/oauth/mcp/register.403with a plain-text bodyForbidden(despiteContent-Type: application/json). Per Figma's own forum, the endpoint "will return a 403 for any client not on [the approved] list" — MCP access is limited to approved clients.JSON.parse("Forbidden"), fails, and surfaces the rawSyntaxError.This is not Figma-specific — any allow-list-only or DCR-less server (opencode, Cline, Codex users have reported the same wall) produces the same opaque error.
mcpc cannot make Figma's login succeed (that is a provider allow-list policy), but it can tell the user what actually happened and what to do next.
Change
A new exported helper
explainOAuthRegistrationFailure()inspects failures that occur before the authorization redirect (tracked via a newreachedAuthorizationflag) and rewrites registration-phase failures — HTTP403/401, a malformed non-JSON OAuth error, or a missingregistration_endpoint— into actionable guidance:Failures after the authorization redirect (token exchange, user cancellation, network faults) are passed through unchanged. The original SDK error is preserved in
details.originalErrorfor--verbose/--json.Testing
pnpm run build(tsc) — cleanpnpm run format:checkandeslinton changed files — cleanpnpm exec vitest run— 838 passed, including 5 new tests covering: the Figma non-JSON 403, a server with noregistration_endpoint, a bareForbidden, post-authorization pass-through, and unrelated-error pass-through.https://mcp.figma.com/mcpin both human and--jsonoutput modes.