summaryrefslogtreecommitdiff
path: root/deploy
diff options
context:
space:
mode:
authorTom Flux <tom@tomflux.xyz>2026-06-23 21:40:02 +0100
committerTom Flux <tom@tomflux.xyz>2026-06-23 21:41:41 +0100
commit9928a4a09766d994a7497d3a6152315c52fece90 (patch)
treecb7c425b70bf129941aad8a8890efac53f0da7f5 /deploy
parent4ddad857e9a7b7023177e6913a725ffced741683 (diff)
nginx: 404 the .well-known/ OAuth probes for the MCP connector
claude.ai's custom-connector flow probes /.well-known/oauth-* during setup. The catch-all 301 -> /app/ made those return the Kitchen login page (200), so claude.ai mistook it for an OAuth sign-in service, tried Dynamic Client Registration, and failed. Returning 404 makes it treat the server as authless and connect. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Diffstat (limited to 'deploy')
-rw-r--r--deploy/food.tomflux.xyz.nginx7
1 files changed, 7 insertions, 0 deletions
diff --git a/deploy/food.tomflux.xyz.nginx b/deploy/food.tomflux.xyz.nginx
index 0d4a357..87172cc 100644
--- a/deploy/food.tomflux.xyz.nginx
+++ b/deploy/food.tomflux.xyz.nginx
@@ -44,6 +44,13 @@ server {
proxy_read_timeout 3600s;
}
+ # OAuth-discovery probes MUST 404, not fall through to the /app/ login
+ # redirect. Otherwise claude.ai's connector flow sees the login page at
+ # /.well-known/oauth-* , thinks the server has an OAuth sign-in service,
+ # tries Dynamic Client Registration, and fails ("Couldn't register with
+ # ... sign-in service"). A 404 here makes it treat the server as authless.
+ location /.well-known/ { return 404; }
+
location / {
return 301 /app/;
}