MCP: 'Clear Authentication' / 'Reauthenticate' button doesn't clear OAuth state for HTTP MCP servers

Resolved 💬 4 comments Opened Apr 1, 2026 by ameliariely Closed May 9, 2026

Description

When clicking "Clear Authentication" or "Reauthenticate" on an HTTP MCP server with OAuth 2.1 authentication (Streamable HTTP transport), the button flashes but the authentication state is not cleared. The server remains connected with the old token.

Related: #10915 (closed for inactivity after 7 days)

Steps to reproduce

  1. Add an HTTP MCP server with OAuth authentication (e.g., http://localhost:8086/mcp)
  2. Complete the OAuth flow successfully
  3. Go to MCP settings (/mcp)
  4. Click "Clear Authentication" on the server
  5. The button flashes but the server remains authenticated
  6. Clicking "Reauthenticate" also flashes with no effect

Investigation findings

We verified via server logs that when "Clear Authentication" is clicked:

  • No DELETE /mcp request is sent (MCP spec session termination)
  • No POST to revocation_endpoint is sent (RFC 7009)
  • No /.well-known/oauth-protected-resource is fetched
  • The client just continues sending normal GET/POST to /mcp with the old token

The server correctly implements:

  • /.well-known/oauth-protected-resource (RFC 9728)
  • revocation_endpoint in auth server metadata (matching Linear's pattern)
  • Token revocation handler (RFC 7009)
  • Bearer store cleanup on DELETE and tokenless reconnect

Tested with curl: the deauth flow works when the client actually sends DELETE or reconnects without a token.

Expected behavior

Clicking "Clear Authentication" should disconnect the MCP session and require re-authentication.

Workaround

Remove the MCP server entirely and re-add it.

Environment

  • Claude Code VS Code extension v2.1.89
  • HTTP MCP server with OAuth 2.1 (Streamable HTTP transport)

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗