MCP OAuth callback fails (Cursor)

If Cursor fails to complete OAuth when connecting to IdentityScribe’s MCP channel, the problem is usually one of three: redirect URI mismatch, localhost vs remote Scribe, or the callback never launching Cursor.

Symptom: IdP returns “invalid redirect URI” or “redirect_uri_mismatch” after you sign in.

Cause: Your IdP must allow Cursor’s OAuth callback URI. Cursor uses a custom scheme for callbacks (e.g. cursor:// or similar). The exact URI depends on your Cursor version and configuration.

Steps:

1. In your IdP’s OAuth client settings, add Cursor’s callback URI. Check Cursor’s docs or MCP auth UI for the exact value — it typically looks like cursor://anysphere.cursor-deeplink/oauth/callback or a variant.
2. Ensure no trailing slash, exact case, and no extra query params unless your client requires them.
3. For public clients (no secret), confirm the client is configured as “public” if Cursor uses PKCE.

Symptom: OAuth discovery or token requests fail; IdP shows wrong redirect or “connection refused.”

Cause: Scribe’s OAuth metadata (/.well-known/oauth-authorization-server) includes issuer and token URLs. If Scribe runs remotely but those URLs point to localhost, Cursor (running on your machine) may receive unusable endpoints.

Steps:

1. Set auth.providers.<name>.public-issuer in Scribe config to the URL clients use to reach Scribe (e.g. https://scribe.example.com). This overrides the issuer returned in OAuth discovery.
2. Ensure your IdP’s OAuth client has the correct redirect URI for the environment (localhost vs remote) you’re actually using.
3. If you’re testing with Scribe on localhost, use http://localhost:8080 in your MCP config. If Scribe is remote, use the remote URL — and ensure public-issuer matches it.

Symptom: Browser completes IdP sign-in, but Cursor doesn’t open or reconnect; no error in Cursor.

Cause: The cursor:// deeplink may not be handled, or the browser blocks custom-scheme redirects.

Steps:

1. Confirm Cursor is installed and running before starting the OAuth flow.
2. Try the flow in a different browser — some block or prompt for custom-scheme links.
3. On macOS, ensure Cursor is set as the handler for cursor:// (System Settings → Apps → Default apps for URLs, or reinstall Cursor).
4. If using a reverse proxy, ensure it does not rewrite or strip the redirect URL.

If OAuth keeps failing, you can bypass it temporarily using ROPC or LDAP bind. Configure auth.methods to include ropc or ldap, then use username:password in your MCP client. This is less secure than OAuth — use only for local or low-risk environments.

• MCP Channel — Setup and authentication
• Authentication — Bearer, ROPC, LDAP
• Auth configuration reference — public-issuer and OAuth settings