cimd: tolerate unknown grant_types in client metadata (fix claude.ai outage)#147
Merged
Merged
Conversation
…i outage) claude.ai's CIMD client metadata document now publishes grant_types: ["authorization_code","refresh_token","urn:ietf:params:oauth:grant-type:jwt-bearer"]. The jwt-bearer entry hit the default branch of the grant_types validator and failed the whole CIMD resolution with "unsupported grant_type", taking every claude.ai connector down at /authorize (ChatGPT unaffected — its client.json lists no extra grants). The CIMD grant_types array advertises client capability, not what we issue: .well-known/oauth-authorization-server lists only authorization_code and /token rejects everything else, so tolerating unknown entries changes nothing about issued tokens. Require authorization_code to be present; ignore the rest. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01NTbw8cvu8efRe2XqcTSMvo
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
claude.ai changed its published CIMD client metadata document to advertise a third grant type:
The
grant_typesvalidator inparseCIMDMetadata(cmd/altinity-mcp/cimd.go) had a hard allowlist of{authorization_code, refresh_token}with adefault:branch that rejected the entire metadata document on any other entry. Result: every claude.ai connector failed at/oauth/authorizewithsurfacing client-side as
{"error":"invalid_client","error_description":"unknown OAuth client"}. ChatGPT was unaffected (itsclient.jsonlists no extra grants). This is the same failure class as the earlierprivate_key_jwtrejection (#119): a too-strict CIMD parser breaks the moment a first-party client adds a field.Fix
The CIMD
grant_typesarray advertises client capability, not what we issue..well-known/oauth-authorization-serveronly listsauthorization_codeand/oauth/tokenreturnsunsupported_grant_typefor everything else, so tolerating unknown entries changes nothing about issued tokens. Thedefault:branch now ignores unknown grant_types; the only retained constraint is thatauthorization_codemust be present.Tests
TestParseCIMDMetadata_OKupdated to carry claude.ai's real 3-element array (incl.jwt-bearer) as a regression guard.unsupported_grantreject case renamedgrant_types_without_authcode— it still rejects, but now becauseauthorization_codeis absent, not because the other grant is unknown../cmd/altinity-mcp/suite green.Deployment
Built arm64 and deployed to the live
github-mcpfleet (mcp.demo.altinity.cloud, serving/mcp/antalya+/mcp/github) asfix-cimd-grant-types-99f0e05-arm64. Verified:/authorizewith claude.ai's client_id now 302-redirects to Google, and the antalya connector reconnects successfully in claude.ai.🤖 Generated with Claude Code