MCP: Unable to authenticate with servers that contain query parameters #3681
Description
Before opening, please confirm:
Operating System
MacOS 15.6.1
Kiro Version
0.5.9
Bug Description
When authenticating with remote MCP server that contains query parameters in the URL, Kiro attempts to open the browser to an invalid URL where the OAuth resource has been URI encoded twice, causing authorization to fail on the server.
Steps to Reproduce
Configure the Supabase MCP server in read-only mode:
In the MCP Servers view click to "Authenticate" the Supabase server.
When prompted, click to "Open" the authorization URL
The browser opens a URL with a double encoded '?' in the resource parameter:
https://api.supabase.com/v1/oauth/authorize?resource=https://mcp.supabase.com/mcp%253Fread_only=true&...
Running the following in a JavaScript environment shows the '?' is encoded twice:
decodeURIComponent(
decodeURIComponent("%253F")
)
// result: '?'This causes the authentication flow to fail:
Expected Behavior
I expect the browser to open a URL containing a resource query parameter that is encoded only once
https://api.supabase.com/v1/oauth/authorize?resource=https%3A%2F%2Fmcp.supabase.com%2Fmcp%3Fread_only%3Dtrue&...
I expect authentication with https://mcp.supabase.com/mcp?read_only=true to succeed.
Conversation ID
No response
Additional Context
References
RFC 8707 makes a note that while query components are discouraged in resource URIs, they should still be supported.
It SHOULD NOT include a query component, but it is recognized that there are cases that make a query component a useful and necessary part of the resource parameter
Notes
- If I instead "Copy" the URL in the prompt instead of "Open", a correctly encoded
resourceURI is copied. It's only when I "Open" the URL that authentication fails. - For comparison, Cursor encodes this as
resource=https%3A%2F%2Fmcp.supabase.com%2Fmcp%3Fread_only%3Dtrue