mcp-remote sometimes missing PKCE code_verifier for Dynamic applications
Problem to solve
On occasion, users are reporting that our PKCE code_verifier is missing when registering an OAuth Application through our mcp_server .
def validate_pkce_for_dynamic_applications
return unless server.client&.application&.dynamic?
return unless params[:code_verifier].blank? # rubocop:disable Rails/StrongParams -- Only accessing a single named param
render json: {
error: 'invalid_request',
error_description: 'PKCE code_verifier is required for dynamic OAuth applications'
}, status: :bad_request
end
Here's an example error trace
[2025-09-18T18:20:00.928Z][88849] Connection error {
errorMessage: 'PKCE code_verifier is required for dynamic OAuth applications',
stack: 'InvalidRequestError: PKCE code_verifier is required for dynamic OAuth applications\n' +
' at parseErrorResponse (file:///Users/terrichu/.local/share/mise/installs/node/23.11.1/lib/node_modules/mcp-remote/dist/chunk-AKJME7CQ.js:12226:12)\n' +
' at process.processTicksAndRejections (node:internal/process/task_queues:105:5)\n' +
' at async refreshAuthorization (file:///Users/terrichu/.local/share/mise/installs/node/23.11.1/lib/node_modules/mcp-remote/dist/chunk-AKJME7CQ.js:12595:11)\n' +
' at async authInternal (file:///Users/terrichu/.local/share/mise/installs/node/23.11.1/lib/node_modules/mcp-remote/dist/chunk-AKJME7CQ.js:12298:25)\n' +
' at async auth (file:///Users/terrichu/.local/share/mise/installs/node/23.11.1/lib/node_modules/mcp-remote/dist/chunk-AKJME7CQ.js:12235:12)\n' +
' at async StreamableHTTPClientTransport.send (file:///Users/terrichu/.local/share/mise/installs/node/23.11.1/lib/node_modules/mcp-remote/dist/chunk-AKJME7CQ.js:13454:26)',
transportType: 'StreamableHTTPClientTransport'
}
[88849] Fatal error: InvalidRequestError: PKCE code_verifier is required for dynamic OAuth applications
at parseErrorResponse (file:///Users/terrichu/.local/share/mise/installs/node/23.11.1/lib/node_modules/mcp-remote/dist/chunk-AKJME7CQ.js:12226:12)
at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
at async refreshAuthorization (file:///Users/terrichu/.local/share/mise/installs/node/23.11.1/lib/node_modules/mcp-remote/dist/chunk-AKJME7CQ.js:12595:11)
at async authInternal (file:///Users/terrichu/.local/share/mise/installs/node/23.11.1/lib/node_modules/mcp-remote/dist/chunk-AKJME7CQ.js:12298:25)
at async auth (file:///Users/terrichu/.local/share/mise/installs/node/23.11.1/lib/node_modules/mcp-remote/dist/chunk-AKJME7CQ.js:12235:12)
at async StreamableHTTPClientTransport.send (file:///Users/terrichu/.local/share/mise/installs/node/23.11.1/lib/node_modules/mcp-remote/dist/chunk-AKJME7CQ.js:13454:26) {
errorUri: undefined
}
[2025-09-18T18:20:00.928Z][88849] Fatal error: InvalidRequestError: PKCE code_verifier is required for dynamic OAuth applications
at parseErrorResponse (file:///Users/terrichu/.local/share/mise/installs/node/23.11.1/lib/node_modules/mcp-remote/dist/chunk-AKJME7CQ.js:12226:12)
at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
at async refreshAuthorization (file:///Users/terrichu/.local/share/mise/installs/node/23.11.1/lib/node_modules/mcp-remote/dist/chunk-AKJME7CQ.js:12595:11)
at async authInternal (file:///Users/terrichu/.local/share/mise/installs/node/23.11.1/lib/node_modules/mcp-remote/dist/chunk-AKJME7CQ.js:12298:25)
at async auth (file:///Users/terrichu/.local/share/mise/installs/node/23.11.1/lib/node_modules/mcp-remote/dist/chunk-AKJME7CQ.js:12235:12)
at async StreamableHTTPClientTransport.send (file:///Users/terrichu/.local/share/mise/installs/node/23.11.1/lib/node_modules/mcp-remote/dist/chunk-AKJME7CQ.js:13454:26) {
errorUri: undefinedCurrent Solution
Running the following rm -rf ~/.mcp-auth resolves the issue but we should investigate why this is occuring.
Edited by 🤖 GitLab Bot 🤖