Skip to content

[Bug] Remote MCPs: Authentication callback port is not validated; invalid port breaks auth flow #911

New issue
New issue
Open
Open
[Bug] Remote MCPs: Authentication callback port is not validated; invalid port breaks auth flow#911
Labels
BugSomething isn't working
@danbarr

Description

@danbarr
danbarr
opened on Sep 19, 2025

Bug Description

The auth callback port field in the UI does not validate that the user's input is a valid port number (1-65535, though maybe we should narrow to 1024-65535 to avoid issues with privileged ports).

Steps to Reproduce

  1. Add a remote server from the registry or using the custom option. I tested with notion-remote in the registry.

  2. Enter an invalid port in the Callback port field, like 12345678 and install the server.

  3. The Notion authorization opens in the web browser, but it seems a random port was chosen:

    Image

  4. Authorize the connection, but it fails with an error:

    Image

In the log file:

1:55PM	INFO	Detected authentication requirement from server - type: OAuth, realm: OAuth, resource_metadata:
1:55PM	INFO	Starting OAuth authentication flow with issuer: https://mcp.notion.com
1:55PM	INFO	Starting OAuth authentication flow for issuer: https://mcp.notion.com
1:55PM	INFO	Successfully registered OAuth client dynamically - client_id: REDACTED
1:55PM	INFO	Using OAuth endpoints - authorize_url: https://mcp.notion.com/authorize, token_url: https://mcp.notion.com/token
1:55PM	INFO	Opening browser to: https://mcp.notion.com/authorize?client_id=REDACTED&code_challenge=REDACTED&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A27671%2Fcallback&response_type=code&state=REDACTED
1:55PM	INFO	Starting OAuth callback server on port 27671
1:55PM	INFO	Waiting for OAuth callback...
Error: failed to restart workload notion-remote: failed to authenticate to remote server: remote authentication failed: OAuth flow failed: OAuth flow failed: failed to exchange code for token: oauth2: "invalid_grant" "Invalid redirect URI"

Expected Behavior

I think the input field should validate the port # before allowing the user to submit.

Also, for dynamic client registration option, it might be a nice UX to allow the user to leave the port empty with an indication that a random one will be selected, and only require one to be explicitly set for the OAuth/OIDC methods? Counterpoint/consideration, the CLI uses a hardcoded default of 8666 if you don't specify one with the --remote-auth-callback-port flag - and the notion-remote MCP does work from the CLI even if you accept the default or give an invalid port #.

And, whatever mismatch with the random behavior should also be fixed?

Actual Behavior

No response

Priority

Medium

Environment

No response

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions