claude-code icon indicating copy to clipboard operation
claude-code copied to clipboard
Published 3 months ago verified publisher icon anthropics

[BUG] OAuth fails with AWS Cognito: "does not support S256 code challenge method" despite Cognito supporting PKCE

Open jeffrigby opened this issue 4 months ago • 1 comments

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Claude Code's OAuth flow fails when connecting to MCP servers that use AWS Cognito as their OIDC provider, even though Cognito fully supports PKCE with S256.

Root Cause

AWS Cognito's .well-known/openid-configuration endpoint does not include the code_challenge_methods_supported field in its response, even though Cognito fully supports PKCE S256 in practice.

Example Cognito discovery response (note the missing field):

{
  "authorization_endpoint": "https://....auth.eu-west-1.amazoncognito.com/oauth2/authorize",
  "token_endpoint": "https://....auth.eu-west-1.amazoncognito.com/oauth2/token",
  "response_types_supported": ["code", "token"],
  ...
}

Claude Code appears to require code_challenge_methods_supported to include S256 in the discovery document, which is a stricter check than necessary.

Expected Behavior

Environment

  • Claude Code version: 2.0.60
  • OS: macOS / Linux / Windows
  • OIDC Provider: AWS Cognito

Workaround

Currently the only workaround is to manually obtain tokens and use the headers configuration, which defeats the purpose of the built-in OAuth flow.

What Should Happen?

Claude Code should either:

  1. Attempt PKCE S256 if code_challenge_methods_supported is absent (many providers support it without advertising)
  2. Provide a configuration option to skip/override this check
  3. Fall back gracefully rather than failing outright

Error Messages/Logs

Error: Incompatible OIDC provider at https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_XXXXXXXX/.well-known/openid-configuration: does not support S256 code challenge method required by MCP specification

Steps to Reproduce

  1. Add an HTTP MCP hosted on AWS and behind a Cognito token
  2. Start Claude Code and run /mcp
  3. Select authenticate on the remote MCP

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

No response

Claude Code Version

2.0.60

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

iTerm2

Additional Information

No response

jeffrigby avatar Dec 07 '25 05:12 jeffrigby

This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.

github-actions[bot] avatar Jan 06 '26 10:01 github-actions[bot]

This issue has been automatically closed due to 60 days of inactivity. If you're still experiencing this issue, please open a new issue with updated information.

github-actions[bot] avatar Feb 07 '26 10:02 github-actions[bot]

This issue has been automatically locked since it was closed and has not had any activity for 7 days. If you're experiencing a similar issue, please file a new issue and reference this one if it's relevant.

github-actions[bot] avatar Feb 14 '26 14:02 github-actions[bot]