Cursor not generating valid Oauth authorization URL

Bug Reports
1

Describe the Bug

During MCP Oauth flow, cursor does not populate state and scope parameters in the authorization url.

Steps to Reproduce

  1. Add MCP Server with Oauth Enabled

Response of unauthenticated request:

HTTP/1.1 401 Unauthorized
www-authenticate: Bearer error="invalid_token", error_description="Authentication required", resource_metadata="http://localhost:8001/.well-known/oauth-protected-resource"

Result: Cursor correctly identifies that MCP server requires log in.

Consequence: Cursor retrieves protected resource metadata and authorization server metadata.

GET /.well-known/oauth-protected-resource

{
  "resource": "http://localhost:8001/",
  "authorization_servers": [
    "http://localhost:8001/"
  ],
  "scopes_supported": [
    "openid",
    "email",
    "profile"
  ],
  "bearer_methods_supported": [
    "header"
  ]
}

GET /.well-known/oauth-authorization-server

{
  "issuer": "https://mydomain.okta.com",
  "authorization_endpoint": "https://mydomain.okta.com/oauth2/v1/authorize",
  "token_endpoint": "https://mydomain.okta.com/oauth2/v1/token",
  "registration_endpoint": "http://localhost:8001/oauth/register",
  "response_types_supported": [
    "code",
    "token",
    "id_token",
    "code id_token",
    "code token",
    "id_token token",
    "code id_token token"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post",
    "okta_post_message"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit",
    "refresh_token",
    "password",
    "client_credentials",
    "urn:ietf:params:oauth:grant-type:device_code",
    "urn:openid:params:grant-type:ciba",
    "urn:okta:params:oauth:grant-type:otp",
    "http://auth0.com/oauth/grant-type/mfa-otp",
    "urn:okta:params:oauth:grant-type:oob",
    "http://auth0.com/oauth/grant-type/mfa-oob"
  ],
  "subject_types_supported": [
    "public"
  ],
  "scopes_supported": [
    "okta.users.manage",
    "okta.users.manage.self",
    "okta.users.read",
    "okta.users.read.self",
    "okta.linkedObjects.manage",
    "okta.linkedObjects.read",
    "okta.profileMappings.manage",
    "okta.profileMappings.read",
    "okta.userTypes.manage",
    "okta.userTypes.read",
    "okta.clients.manage",
    "okta.clients.register",
    "okta.clients.read",
    "okta.appGrants.manage",
    "okta.appGrants.read",
    "okta.policies.manage",
    "okta.policies.read",
    "okta.groups.manage",
    "okta.groups.read",
    "okta.inlineHooks.manage",
    "okta.inlineHooks.read",
    "okta.eventHooks.manage",
    "okta.eventHooks.read",
    "okta.events.read",
    "okta.logs.read",
    "okta.apps.manage",
    "okta.apps.read",
    "okta.schemas.manage",
    "okta.schemas.read",
    "okta.idps.manage",
    "okta.idps.read",
    "okta.factors.manage",
    "okta.factors.read",
    "okta.riskProviders.manage",
    "okta.riskProviders.read",
    "okta.roles.manage",
    "okta.roles.read",
    "okta.orgs.manage",
    "okta.orgs.read",
    "okta.domains.manage",
    "okta.domains.read",
    "okta.brands.manage",
    "okta.brands.read",
    "okta.sessions.manage",
    "okta.sessions.read",
    "okta.templates.manage",
    "okta.templates.read",
    "okta.trustedOrigins.manage",
    "okta.trustedOrigins.read",
    "okta.threatInsights.manage",
    "okta.threatInsights.read",
    "okta.behaviors.manage",
    "okta.behaviors.read",
    "okta.networkZones.manage",
    "okta.networkZones.read",
    "okta.agentPools.manage",
    "okta.agentPools.read",
    "okta.reports.read",
    "okta.features.manage",
    "okta.features.read",
    "okta.certificateAuthorities.manage",
    "okta.certificateAuthorities.read",
    "okta.principalRateLimits.manage",
    "okta.principalRateLimits.read",
    "okta.rateLimits.manage",
    "okta.rateLimits.read",
    "okta.apiTokens.manage",
    "okta.apiTokens.read",
    "okta.personal.adminSettings.manage",
    "okta.personal.adminSettings.read",
    "openid",
    "email",
    "profile",
    "address",
    "phone",
    "offline_access",
    "groups"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post",
    "client_secret_jwt",
    "private_key_jwt",
    "none"
  ],
  "claims_supported": [
    "ver",
    "jti",
    "iss",
    "aud",
    "iat",
    "exp",
    "cid",
    "uid",
    "scp",
    "sub"
  ],
  "code_challenge_methods_supported": [
    "S256"
  ],
  "introspection_endpoint": "https://mydomain.okta.com/oauth2/v1/introspect",
  "introspection_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post",
    "client_secret_jwt",
    "private_key_jwt",
    "none"
  ],
  "revocation_endpoint": "https://mydomain.okta.com/oauth2/v1/revoke",
  "revocation_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post",
    "client_secret_jwt",
    "private_key_jwt",
    "none"
  ],
  "end_session_endpoint": "https://mydomain.okta.com/oauth2/v1/logout",
  "request_parameter_supported": true,
  "request_object_signing_alg_values_supported": [
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512"
  ],
  "device_authorization_endpoint": "https://mydomain.okta.com/oauth2/v1/device/authorize",
  "pushed_authorization_request_endpoint": "https://mydomain.okta.com/oauth2/v1/par",
  "backchannel_token_delivery_modes_supported": [
    "poll"
  ],
  "backchannel_authentication_request_signing_alg_values_supported": [
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512"
  ],
  "dpop_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512"
  ]
}
➜  simple-auth git:(mcp-auth) βœ— (⎈|dataprod-ni-us-east-1.k8s.local:publishers): curl -s http://localhost:8001/.well-known/oauth-authorization-server | jq
{
  "issuer": "https://mydomain.okta.com",
  "authorization_endpoint": "https://mydomain.okta.com/oauth2/v1/authorize",
  "token_endpoint": "https://mydomain.okta.com/oauth2/v1/token",
  "registration_endpoint": "http://localhost:8001/oauth/register",
  "response_types_supported": [
    "code",
    "token",
    "id_token",
    "code id_token",
    "code token",
    "id_token token",
    "code id_token token"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post",
    "okta_post_message"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit",
    "refresh_token",
    "password",
    "client_credentials",
    "urn:ietf:params:oauth:grant-type:device_code",
    "urn:openid:params:grant-type:ciba",
    "urn:okta:params:oauth:grant-type:otp",
    "http://auth0.com/oauth/grant-type/mfa-otp",
    "urn:okta:params:oauth:grant-type:oob",
    "http://auth0.com/oauth/grant-type/mfa-oob"
  ],
  "subject_types_supported": [
    "public"
  ],
  "scopes_supported": [
    "okta.users.manage",
    "okta.users.manage.self",
    "okta.users.read",
    "okta.users.read.self",
    "okta.linkedObjects.manage",
    "okta.linkedObjects.read",
    "okta.profileMappings.manage",
    "okta.profileMappings.read",
    "okta.userTypes.manage",
    "okta.userTypes.read",
    "okta.clients.manage",
    "okta.clients.register",
    "okta.clients.read",
    "okta.appGrants.manage",
    "okta.appGrants.read",
    "okta.policies.manage",
    "okta.policies.read",
    "okta.groups.manage",
    "okta.groups.read",
    "okta.inlineHooks.manage",
    "okta.inlineHooks.read",
    "okta.eventHooks.manage",
    "okta.eventHooks.read",
    "okta.events.read",
    "okta.logs.read",
    "okta.apps.manage",
    "okta.apps.read",
    "okta.schemas.manage",
    "okta.schemas.read",
    "okta.idps.manage",
    "okta.idps.read",
    "okta.factors.manage",
    "okta.factors.read",
    "okta.riskProviders.manage",
    "okta.riskProviders.read",
    "okta.roles.manage",
    "okta.roles.read",
    "okta.orgs.manage",
    "okta.orgs.read",
    "okta.domains.manage",
    "okta.domains.read",
    "okta.brands.manage",
    "okta.brands.read",
    "okta.sessions.manage",
    "okta.sessions.read",
    "okta.templates.manage",
    "okta.templates.read",
    "okta.trustedOrigins.manage",
    "okta.trustedOrigins.read",
    "okta.threatInsights.manage",
    "okta.threatInsights.read",
    "okta.behaviors.manage",
    "okta.behaviors.read",
    "okta.networkZones.manage",
    "okta.networkZones.read",
    "okta.agentPools.manage",
    "okta.agentPools.read",
    "okta.reports.read",
    "okta.features.manage",
    "okta.features.read",
    "okta.certificateAuthorities.manage",
    "okta.certificateAuthorities.read",
    "okta.principalRateLimits.manage",
    "okta.principalRateLimits.read",
    "okta.rateLimits.manage",
    "okta.rateLimits.read",
    "okta.apiTokens.manage",
    "okta.apiTokens.read",
    "okta.personal.adminSettings.manage",
    "okta.personal.adminSettings.read",
    "openid",
    "email",
    "profile",
    "address",
    "phone",
    "offline_access",
    "groups"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post",
    "client_secret_jwt",
    "private_key_jwt",
    "none"
  ],
  "claims_supported": [
    "ver",
    "jti",
    "iss",
    "aud",
    "iat",
    "exp",
    "cid",
    "uid",
    "scp",
    "sub"
  ],
  "code_challenge_methods_supported": [
    "S256"
  ],
  "introspection_endpoint": "https://mydomain.okta.com/oauth2/v1/introspect",
  "introspection_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post",
    "client_secret_jwt",
    "private_key_jwt",
    "none"
  ],
  "revocation_endpoint": "https://mydomain.okta.com/oauth2/v1/revoke",
  "revocation_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post",
    "client_secret_jwt",
    "private_key_jwt",
    "none"
  ],
  "end_session_endpoint": "https://mydomain.okta.com/oauth2/v1/logout",
  "request_parameter_supported": true,
  "request_object_signing_alg_values_supported": [
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512"
  ],
  "device_authorization_endpoint": "https://mydomain.okta.com/oauth2/v1/device/authorize",
  "pushed_authorization_request_endpoint": "https://mydomain.okta.com/oauth2/v1/par",
  "backchannel_token_delivery_modes_supported": [
    "poll"
  ],
  "backchannel_authentication_request_signing_alg_values_supported": [
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512"
  ],
  "dpop_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512"
  ]
}
  1. Click on the needs login button

Result: Cursor generates authorization url for the user as such:

https://mydomain.okta.com/oauth2/v1/authorize?response_type=code
	&client_id=0oa1ma6l88j9T2Tjh358
	&code_challenge=wUXTVKMG2GnPPfvYGpFXX09MLccQlxNmiPX02K_uhaE
	&code_challenge_method=S256
	&redirect_uri=cursor://anysphere.cursor-retrieval/oauth/user-my-mcp/callback
	&resource=http://localhost:8001/

Consequence: My Oauth Provider (Okta) does not authenticate the request because it’s missing the required scope and state parameters.

Expected Behavior

Cursor should generate a valid authorization url so the user can authenticate.

Operating System

MacOS

Current Cursor Version (Menu β†’ About Cursor β†’ Copy)

Version: 1.2.4
VSCode Version: 1.99.3
Commit: a8e95743c5268be73767c46944a71f4465d05c90
Date: 2025-07-10T16:53:59.659Z
Electron: 34.5.1
Chromium: 132.0.6834.210
Node.js: 20.19.0
V8: 13.2.152.41-electron.0
OS: Darwin arm64 24.5.0

Additional Information

If I manually populate scope and state, the Oauth flow completes correctly and the MCP server proceeds to work.

Does this stop you from using Cursor

Yes - Cursor is unusable

2 Likes
2

Hi, we are also hitting same issue with cursor client.. whereas other clients are working fine. Is there any update on this from cursor team?