Skip to content

Claude.ai MCP Authentication Issue - Web UI Bug Report #873

New issue
New issue
Open
Open
Claude.ai MCP Authentication Issue - Web UI Bug Report#873
@plappag

Description

@plappag
plappag
opened on Aug 13, 2025

Executive Summary

Critical Issue: Claude.ai web UI has a broken disconnect/reconnect flow for MCP servers that permanently prevents reauthentication, while mobile works perfectly with identical server implementation.

Impact: Users cannot recover from authentication issues on web platforms - they become permanently locked out of MCP services.

Issue Classification

  • Severity: High (permanent service unavailability)
  • Platform: Web UI only (desktop app + browser)
  • Component: MCP authentication state management
  • Type: Client-side regression/bug

Reproduction Steps

Working Flow (Mobile Claude.ai ✅)

  1. Connect to MCP server → Success
  2. Disconnect service → Actually disconnects with visual feedback
  3. Attempt reconnect → Properly initiates OAuth flow
  4. Complete authentication → Back to working state

Broken Flow (Web UI ❌)

  1. Connect to MCP server → Success (initial connection works)
  2. Try to disconnect/remove service → No visual feedback, unclear if action processed
  3. Attempt to reconnect → Gets 401 responses but OAuth flow never starts
  4. Result: Permanently stuck, cannot reauthenticate

Technical Analysis

Server Implementation (Confirmed Working)

  • ✅ RFC-compliant 401 responses with proper WWW-Authenticate headers
  • ✅ Valid OAuth 2.1 + PKCE implementation
  • ✅ Correct OAuth metadata endpoints
  • Same server works perfectly on mobile (proves server implementation is correct)

Client-Side Hypothesis

The web UI appears to have a state management bug where:

  1. Disconnect action doesn't properly clear authentication state
  2. Subsequent 401 responses don't trigger OAuth initiation
  3. Client remains in a "half-connected" state that blocks reauthentication

Evidence Supporting Web UI Bug

Platform | Initial Connect | Disconnect | Reconnect | OAuth Flow
-- | -- | -- | -- | --
Mobile | ✅ Works | ✅ Works | ✅ Works | ✅ Triggers
Web UI | ✅ Works | ❌ Silent failure | ❌ Fails | ❌ Never triggers

Key Evidence: Identical server behavior produces different client results across platforms.

Root Cause Analysis

Likely Web UI Issues:

  1. Incomplete state reset during disconnect operation
  2. Missing OAuth trigger logic when receiving 401 after failed disconnect
  3. Client-side authentication cache not being cleared
  4. Event handler registration issues preventing proper reconnection flow

Not Server Issues:

  • Mobile success proves server OAuth implementation is correct
  • Same 401 responses handled differently by different clients
  • Server-side logs likely show proper authentication challenges being sent

Immediate Impact

  • User Experience: Permanent lockout from MCP services on primary web platform
  • Developer Impact: Users blame MCP server developers for client-side bugs
  • Adoption Risk: Hesitancy to use MCP services due to unreliable connection management

Requested Actions

For Anthropic Engineering Team:

  1. Investigate web UI disconnect/remove functionality - appears to be silently failing
  2. Review OAuth flow initiation logic in web UI after 401 responses
  3. Compare authentication state management between mobile and web implementations
  4. Add proper visual feedback for disconnect operations
  5. Implement state cleanup to ensure reauthentication is possible

For MCP Server Developers (Interim):

  1. Document the web UI limitation in user guides
  2. Recommend mobile app usage for connections requiring frequent reconnection
  3. Consider implementing connection health checks to detect stuck states
  4. Provide clear troubleshooting steps for affected users

Testing Recommendations

To Reproduce:

  1. Set up any MCP server with OAuth authentication
  2. Connect via Claude.ai web UI
  3. Attempt to disconnect/remove the service
  4. Try to reconnect
  5. Observe: No OAuth flow initiated, permanent 401 responses

To Verify Fix:

  1. Ensure disconnect provides visual feedback
  2. Confirm authentication state is properly cleared
  3. Verify 401 responses trigger OAuth flow initiation
  4. Test complete reconnection cycle works

Workaround for Users

Current Solution: Use Claude.ai mobile app for any MCP connections that might need to be disconnected and reconnected.

Why This Works: Mobile client properly handles authentication state management and OAuth flow initiation.

Priority Justification

This issue should be high priority because:

  • It affects the primary user platform (web)
  • It creates permanent service unavailability (not recoverable)
  • It impacts MCP ecosystem adoption
  • The fix likely involves client-side state management (contained scope)

Contact Information

For technical follow-up regarding server-side implementation details or additional testing, please contact the MCP server development team.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions