Currently oauth-mcp-proxy rejects non-HTTP(S) redirect URIs here:
// https://github.com/tuannvm/oauth-mcp-proxy/blob/main/handlers.go#L372
if redirectURI.Scheme != "http" && redirectURI.Scheme != "https" {
...
}This works for VS Code flows but breaks Cursor MCP authentication because Cursor uses a native-app callback URI like:
cursor://anysphere.cursor-mcp/oauth/callback
Custom URI schemes are standard for OAuth native applications and are explicitly covered by RFC 8252 (OAuth 2.0 for Native Apps).
Suggested change
Instead of only allowing http/https, consider:
- allowing configurable custom schemes (cursor, vscode, etc.)
- or implementing RFC8252-style validation:
- allow https
- allow localhost loopback http://127.0.0.1
- allow explicitly allowlisted custom schemes
Currently oauth-mcp-proxy rejects non-HTTP(S) redirect URIs here:
This works for VS Code flows but breaks Cursor MCP authentication because Cursor uses a native-app callback URI like:
Custom URI schemes are standard for OAuth native applications and are explicitly covered by RFC 8252 (OAuth 2.0 for Native Apps).
Suggested change
Instead of only allowing http/https, consider: