Skip to content

OAuth flow hangs indefinitely when server rejects dynamic client registration (e.g., Figma MCP) #115

New issue
New issue
Open
Open
OAuth flow hangs indefinitely when server rejects dynamic client registration (e.g., Figma MCP)#115
@leandroppf

Description

@leandroppf
leandroppf
opened on Mar 16, 2026

When running mcporter auth 'https://mcp.figma.com/mcp', the CLI prints "Waiting for browser approval..." and hangs until timeout, but the browser never opens. No error is surfaced at any log level,
including --log-level debug.

Steps to Reproduce

  1. Configure Figma MCP server: "figma-remote-mcp": { "type": "http", "url": "https://mcp.figma.com/mcp" }
  2. Run mcporter auth 'https://mcp.figma.com/mcp' --log-level debug
  3. Observe: CLI prints "Waiting for browser approval..." but browser never opens
  4. Wait 60s → times out with OAuthTimeoutError

Root Cause

Figma's OAuth server does not support RFC 7591 Dynamic Client Registration (https://datatracker.ietf.org/doc/html/rfc7591). When mcporter attempts to register itself as an OAuth client, Figma
responds with HTTP 403 Forbidden (raw body: "Forbidden").

Because client registration fails, no authorization URL is ever generated, so redirectToAuthorization() is never called and the browser never opens.

The error is caught inside the MCP SDK's auth() → authInternal() flow and never surfaces to the user. The actual error is:

  HTTP 403: Invalid OAuth error response: SyntaxError: Unexpected token 'F', "Forbidden" is not valid JSON. Raw body: Forbidden

This same server works fine in Claude CLI, which has a pre-registered OAuth client ID and doesn't need dynamic client registration.

Expected Behavior

  1. Surface the error — mcporter should log the 403 rejection with a clear message like: "OAuth client registration was rejected by the server (HTTP 403). This server may not support dynamic client
    registration."
  2. Don't hang — if the authorization URL was never generated, mcporter should fail immediately instead of waiting 60s for a browser callback that will never come
  3. Ideally — support providing a pre-registered client_id / client_secret via config or CLI flags for servers that don't allow dynamic registration

Environment

  • mcporter: 0.7.3
  • Node: v22.18.0
  • macOS
  • MCP SDK: @modelcontextprotocol/sdk (bundled with mcporter)

Affected servers

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions