Troubleshooting

Common failures when connecting Claude Desktop, Codex, or Gemini CLI to the Kloudfuse MCP server, and how to resolve them.

In This Topic

Error: invalid_redirect_uri after sign-in

The user signs in successfully against the Kloudfuse SSO page, but the AI client then surfaces an invalid_redirect_uri error and the connection fails.

Cause — The client’s OAuth callback URL is not on the cluster’s MCPConnector.AllowedRedirectURIs allowlist. Dynamic Client Registration (RFC 7591) lets the client register without prior approval, but the authorization server rejects any redirect_uri not on the allowlist.

Fix — The cluster’s UMS chart ships a default allowlist that covers all supported clients out of the box:

user-mgmt-service:
  config:
    MCPConnector:
      AllowedRedirectURIs:
        - "http://localhost:*"                             # Codex / Gemini CLI (loopback)
        - "http://127.0.0.1:*"                             # Same, IPv4 literal
        - "https://claude.ai/api/mcp/auth_callback"        # Claude Desktop / Claude web
        - "https://claude.com/api/mcp/auth_callback"       # Same, .com TLD
yaml

Look for user-mgmt-service.config.MCPConnector.AllowedRedirectURIs in your custom_values.yaml. If you previously narrowed the list, either:

  • Add the missing URI to that block and re-run helm upgrade kfuse …​, or

  • Remove the entire MCPConnector block from your override so the chart’s default applies.

See also Customize the redirect URI allowlist for context on when you might want to keep an override.

Wildcard ports (*) on the loopback entries are required because the CLI clients bind a random ephemeral port for the OAuth callback. Removing them locks out CLI clients even if the rest of the loopback URI matches.