Skip to content

Feature request: Support OIDC end_session_endpoint #1046

New issue
New issue
Open
Open
Feature request: Support OIDC end_session_endpoint#1046
@akriaueno

Description

@akriaueno
akriaueno
opened on Jan 30, 2026

Summary

In MCP Inspector, the "Clear OAuth State" action removes locally stored OAuth state (tokens / discovered metadata), but it does not end the user’s OpenID Connect SSO session at the Identity Provider (i.e., it does not invoke the OIDC end_session_endpoint).

This is not necessarily a bug — but the current behavior makes it hard to reliably test "sign out / switch user" flows when an IdP session remains active.

Why this matters

When testing MCP servers protected by an OIDC-capable IdP (e.g., Keycloak, Auth0, etc.), clearing local tokens is not equivalent to logging out of the IdP session:

  • Re-authentication may silently reuse the active IdP SSO session (no login prompt).
  • User-switching tests can be unreliable (you can end up as the same user again).

Context

MCP Authorization defines OAuth-based authorization for MCP servers, but it does not define a protocol-level logout/sign-out operation. Logout is typically handled at the client UX level and/or by the IdP.

Since Inspector performs interactive login flows in the browser, it would be helpful to clarify what Inspector intends to support (or explicitly not support) regarding IdP session logout.

Current behavior

  1. Complete an OAuth/OIDC login via Inspector (user is authenticated).
  2. Click "Clear OAuth State".
  3. Connect again.
  4. The IdP session is still active, so the browser returns to the app without a fresh login prompt.

Desired behavior

(A) Add an optional "OIDC Logout" action (only when end_session_endpoint is available via OIDC discovery), OR
(B) Keep "Clear OAuth State" as local-only but document clearly that it does not log out of the IdP SSO session. (plus any recommended workarounds?)

Proposed UX (if A is acceptable)

  • Keep existing "Clear OAuth State" semantics as local-only.
  • Add a separate, explicit button such as "Logout from IdP (OIDC)" when end_session_endpoint is present.
  • Clicking it would navigate (top-level) to end_session_endpoint (best-effort).
    • If an id_token is available, include id_token_hint.
    • Optionally support post_logout_redirect_uri (may require IdP configuration).

Environment

  • Inspector version: v0.19.0
  • Browser: Google Chrome 144
  • IdP: Keycloak 26.4.2
  • Auth flow: Authorization Code + PKCE

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions