[BUG] The Claude API returns an incorrect response according to the OAuth 2.1 Authorization Framework

[Asupkay]

Pre-submission Checklist

• I have verified that this discussion would not be more appropriate as an issue in a specific repository
• I have searched existing discussions to avoid duplicates

I was told to submit here by Claude support

"Our Engineering team has recommended submitting requests to our MCP GitHub Discussions. This allows them to track and provide updates for users to follow"

Discussion Topic

Description

The Claude API that is used when connecting an MCP server to Claude.ai returns an incorrect response when a user denies an authorization request. According to the OAuth 2.1 IETF DRAFT spec which is cited in the MCP authorization standards compliance section the MCP server should:

"If the resource owner denies the access request or if the request fails for reasons other than a missing or invalid redirect URI, the authorization server informs the client by adding the following parameters to the query component of the redirect URI as described by Appendix C.1:"

Actual Result

When you follow the spec and return the user to https://claude.ai/api/mcp/auth_callback?error=access_denied&state=TO2EUix-ggi9f0YV0rbTDHvZWUZrmHymhRB0YXpCdC8 the Claude API errors out saying it is looking for an access code:

{
  "type": "error",
  "error": {
    "type": "invalid_request_error",
    "message": "code: Field required"
  },
  "request_id": "req_011CTQ83NsafsTNNdTRXS5uz"
}

Expected Result

The Claude client shows an error to the user saying that the user denied access.

[tacurran]

@Asupkay "error to the user saying that the user denied access" would you publish the text as it appears to the user here?

[Asupkay]

The exact text for the expected result is a bit up for interpretation as that is not defined in the standard and is handled by the OAuth client (Claude Api/Claude Web in this case). One example though is when you deny access for Claude Code it renders a web page that says "Authentication Error access_denied: You can close this window."