Support http://localhost (loopback) redirect URIs for OAuth apps — RFC 8252

Kai_Mysliwiec · 14 April 2026 09:15

What I want:

Please allow http//localhost and http//127.0.0.1 (loopback) redirect URIs when registering Asana OAuth apps — with any port, or a configurable port range.

Why this matters:

Native desktop and CLI applications increasingly use OAuth 2.0 with loopback redirects as described in RFC 8252 - OAuth 2.0 for Native Apps . This is the recommended standard for native apps and is supported by most major OAuth providers including Google, GitHub, Microsoft, Slack, Notion, and Linear.

Today, Asana OAuth apps only accept:

HTTPS URLs (web apps)
urn:ietf:wg:oauth:2.0:oob (traditional out-of-band flow)

The oob flow is being phased out across the industry (Google deprecated it in 2022) because it requires users to manually copy/paste authorization codes, which is error-prone and creates security risks. Modern CLI tools use a local HTTP server on a loopback address to receive the callback automatically — this is more secure (the code never leaves the user’s machine) and much better UX.

Concrete problem I hit:

I tried connecting Anthropic’s Claude Code (a CLI coding assistant) to Asana’s MCP server
(https//mcp.asana.com/v2/mcp). Claude Code spins up a local server on http//localhost:/callback
for the OAuth callback. Asana rejects this redirect URI, so the integration cannot complete. The same Asana MCP works fine in Claude Desktop because it uses a server-side redirect hosted by Anthropic.

This blocks any developer using a CLI-based AI tool (Claude Code, Cursor CLI, Codex CLI, etc.) from connecting to Asana’s MCP server. Full details of my debugging and the existing Community post from Asana support are here:

What loopback redirect support looks like (per RFC 8252):

Accept any http//127.0.0.1:* or http//localhost:* redirect URI for registered native apps
Ignore the port at registration time (native apps often bind to a random free port)
Keep HTTPS enforcement for web apps (no change there)
oob can remain as a legacy option

Impact:

With AI coding assistants rapidly becoming standard developer tooling, this limitation significantly reduces Asana’s reach in the developer ecosystem. Supporting loopback redirects is a small change with a big payoff — it unblocks every CLI OAuth client, not just Claude Code.

Thanks for considering! Happy to provide more technical detail or test a beta if helpful.

Remark: I had to remove the colons after https: because I am only allowed to post 2 links.

Topic		Replies	Views
Cannot connect Asana MCP to Claude Code CLI — OAuth redirect_uri rejected Developers & API mcp-server	5	207	24 April 2026
invalid_request: The `redirect_uri` parameter does not match a valid url for the application. Developers & API	4	2434	30 May 2025
Support for multiple redirect URI in OAuth client Developers & API	2	1981	30 May 2025
How to authenticate with localhost? Developers & API api	5	5423	30 May 2025
Mobile Oauth Redirect URI Developers & API authentication	7	1955	30 May 2025

Support http://localhost (loopback) redirect URIs for OAuth apps — RFC 8252

Related topics