Oauth2 callback error: Missing client_id

Describe the problem/error/question

When I link my account using the mcp OAuth2 credential and successfully authorize, it automatically redirects to the /rest/oauth2-credential/callback address, but the page displays missing parameters

Error: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).

{"error":"invalid_client","error_description":"Missing client_id"}

Failed to connect. The window can be closed now.

What is the error message (if any)?

Error: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).

{"error":"invalid_client","error_description":"Missing client_id"}

Failed to connect. The window can be closed now.

Please share your workflow

(Select the nodes on your canvas and use the keyboard shortcuts CMD+C/CTRL+C and CMD+V/CTRL+V to copy and paste the workflow.)

image978×505 16.6 KB

image933×589 14.8 KB

Share the output returned by the last node

Information on your n8n setup

• n8n version: 2.2.4
• Database (default: SQLite): SQLite
• n8n EXECUTIONS_PROCESS setting (default: own, main):own
• Running n8n via (Docker, npm, n8n cloud, desktop app):desktop app
• Operating system: windows

ensure there are no extra spaces in your client ID

Yes, I can use the same configuration in MCP Inspector, but I’m not sure why it fails in n8n

Is your n8n instance available on the web, like can other services contact it?

Yes, both the n8n deployed on the public network and the locally deployed n8n encountered the same error. This error occurred after the callback URL of n8n was called back, and it was responded by the callback URL of n8n. I think it may be caused by the different placement of parameters when requesting a token in the n8n callback program

Since this is OpenID Connect, invalid_client: Missing client_id almost always means the token endpoint didn’t receive client authentication in the required form (Basic header vs body), or the client type (public PKCE vs confidential) doesn’t match.

If you tell me which OIDC provider (Keycloak, Azure AD, Auth0, Okta, Google, etc.), I can tell you the most likely correct combo (public/confidential + header/body + PKCE) for that provider.

I am linking to n8n docs MCP: https://n8n.mcp.kapa.ai/
Grant Type: PKCE
Authorization URL: https://mcp.kapa.ai/auth/google/authorize
Access Token URL: https://mcp.kapa.ai/auth/google/token
Client ID and Secret through https://mcp.kapa.ai/auth/google/register register

For https://mcp.kapa.ai/auth/google/* with Grant Type = PKCE, the most likely correct setup is public-client PKCE: set Authentication = Body, send token request as x-www-form-urlencoded, and often no client_secret (client_id must be in the POST body along with code_verifier).
If that fails, try the confidential variant: keep PKCE, set client_secret, Authentication = Header (Basic).
If both variants still return invalid_client: Missing client_id (while MCP Inspector works), that strongly suggests n8n’s MCP OAuth2 credential is omitting or misplacing client_id in the token exchange.

AFAIK, This will not work with the built-in OAuth2 setup because Kapa handles authentication via Google Sign-In (OpenID Connect),

If you’ve linked this MCP via inspector you can inspect the authentication step by step and replicate it in n8n workflow,

You’ll need to get a client ID and create the authorization URL (code_challenge), use a webhook to receive the code, then use it to get the authorization code, and then handle refresh tokens, and bearer token updates.. (any mistake in this will destroy it all )

I’ve already built this in a workflow, but I haven’t shared it, tbh it requires a lot of explanation and the setup looks a bit ugly that nobody understands it except me😅 I’m too lazy to clean it up rn,

I’ll share it once I organize it, or hopefully someone else will make it..