Support mcp connect/logout

ericdallo · ericdallo · commit 57e636d02918 · 2026-03-13T10:36:04.000-03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## Unreleased
 
 - Clarify Task tool prompt for task ordering, task granularity, concurrent starts, and clearing finished task lists.
+- Improve MCP server auth: stop auto-opening browser on OAuth, add `mcp/connectServer` request for client-driven auth and `mcp/logoutServer` notification for clearing credentials.
 - Replace MCP Java SDK with plumcp for MCP client communication. SSE transport is no longer supported (deprecated in MCP spec 2025-03-26).
 - Fix crash on invalid YAML frontmatter in plugin skill files.
 - Show "Waiting subagent" instead of "Calling tool" in progress messages during subagent execution.
diff --git a/docs/protocol.md b/docs/protocol.md
@@ -1953,7 +1953,7 @@ interface MCPServerUpdatedParams {
     /**
      * The status of the server.
      */
-    status: 'running' | 'starting' | 'stopped' | 'failed' | 'disabled';
+    status: 'running' | 'starting' | 'stopped' | 'failed' | 'disabled' | 'requires-auth';
     
     /**
      * The tools supported by this mcp server if not disabled.
@@ -2022,6 +2022,46 @@ interface MCPStartServerParams {
 }
 ```
 
+### Connect MCP server (➡️)
+
+A client notification to initiate OAuth authorization for an MCP server that has `requires-auth` status.
+The server starts a local OAuth callback server and opens the authorization URL in the browser.
+On successful authorization, the server completes the OAuth flow and sends `tool/serverUpdated` with status `running`.
+
+_Notification:_
+
+* method: `mcp/connectServer`
+* params: `MCPConnectServerParams` defined as follows:
+
+```typescript
+interface MCPConnectServerParams {
+    /**
+     * The MCP server name.
+     */
+    name: string;
+}
+```
+
+### Logout MCP server (➡️)
+
+A client notification to logout from an MCP server, clearing its stored OAuth credentials
+and restarting the server. The server will re-detect auth requirements and send
+`tool/serverUpdated` with status `requires-auth`.
+
+_Notification:_
+
+* method: `mcp/logoutServer`
+* params: `MCPLogoutServerParams` defined as follows:
+
+```typescript
+interface MCPLogoutServerParams {
+    /**
+     * The MCP server name.
+     */
+    name: string;
+}
+```
+
 ### Add MCP (↩️)
 
 Soon
diff --git a/src/eca/features/tools.clj b/src/eca/features/tools.clj
@@ -289,6 +289,24 @@
      metrics
      {:on-server-updated (partial notify-server-updated metrics messenger tool-status-fn)})))
 
+(defn connect-server! [name db* messenger config metrics]
+  (let [tool-status-fn (make-tool-status-fn config nil)]
+    (f.mcp/connect-server!
+     name
+     db*
+     config
+     metrics
+     {:on-server-updated (partial notify-server-updated metrics messenger tool-status-fn)})))
+
+(defn logout-server! [name db* messenger config metrics]
+  (let [tool-status-fn (make-tool-status-fn config nil)]
+    (f.mcp/logout-server!
+     name
+     db*
+     config
+     metrics
+     {:on-server-updated (partial notify-server-updated metrics messenger tool-status-fn)})))
+
 (defn tool-call-summary [all-tools full-name args config db]
   (when-let [summary-fn (:summary-fn (first (filter #(= full-name (:full-name %))
                                                     all-tools)))]
diff --git a/src/eca/features/tools/mcp.clj b/src/eca/features/tools/mcp.clj
@@ -176,28 +176,14 @@
     []))
 
 (defn ^:private initialize-mcp-oauth
-  [{:keys [authorization-endpoint callback-port] :as oauth-info}
+  [oauth-info
    server-name
    db*
    server-config
-   {:keys [on-success on-error on-server-updated]}]
-  (oauth/start-oauth-server!
-   {:port callback-port
-    :on-success (fn [{:keys [code]}]
-                  (let [{:keys [access-token refresh-token expires-at]} (oauth/authorize-token! oauth-info code)]
-                    (swap! db* assoc-in [:mcp-auth server-name] {:type :auth/oauth
-                                                                 :url (:url server-config)
-                                                                 :refresh-token refresh-token
-                                                                 :access-token access-token
-                                                                 :expires-at expires-at}))
-                  (oauth/stop-oauth-server! callback-port)
-                  (on-success))
-    :on-error (fn [error]
-                (oauth/stop-oauth-server! callback-port)
-                (on-error error))})
-  (logger/info logger-tag (format "Authenticating MCP server '%s' at '%s'" server-name authorization-endpoint))
-  (swap! db* assoc-in [:mcp-clients server-name] {:status :requires-auth})
-  (browse/browse-url authorization-endpoint)
+   {:keys [on-server-updated]}]
+  (logger/info logger-tag (format "MCP server '%s' requires authentication" server-name))
+  (swap! db* assoc-in [:mcp-clients server-name] {:status :requires-auth
+                                                   :oauth-info oauth-info})
   (on-server-updated (->server server-name server-config :requires-auth @db*)))
 
 (defn ^:private token-expired?
@@ -266,15 +252,7 @@
                                 name
                                 db*
                                 server-config
-                                {:on-server-updated on-server-updated
-                                 :on-success (fn []
-                                               ;; :mcp-auth exists now
-                                               (db/update-global-cache! @db* metrics)
-                                               (initialize-server! name db* config metrics on-server-updated))
-                                 :on-error (fn [error]
-                                             (logger/error logger-tag error)
-                                             (swap! db* assoc-in [:mcp-clients name :status] :failed)
-                                             (on-server-updated (->server name server-config :failed db)))})
+                                {:on-server-updated on-server-updated})
           (let [init-timeout (:mcpTimeoutSeconds config)
                 on-tools-change (fn [tools]
                                   (let [tools (mapv tool->internal tools)]
@@ -354,6 +332,46 @@
       (logger/info logger-tag (format "Starting MCP server %s from manual request despite :disabled=true" name)))
     (initialize-server! name db* config metrics on-server-updated)))
 
+(defn connect-server!
+  "Initiate OAuth authorization for an MCP server that requires auth.
+   Starts the local OAuth callback server and returns the authorization URL."
+  [name db* config metrics {:keys [on-server-updated]}]
+  (let [server-config (get-in config [:mcpServers name])
+        {:keys [oauth-info]} (get-in @db* [:mcp-clients name])]
+    (when (and server-config oauth-info)
+      (let [{:keys [authorization-endpoint callback-port]} oauth-info]
+        (swap! db* assoc-in [:mcp-clients name :status] :starting)
+        (on-server-updated (->server name server-config :starting @db*))
+        (oauth/start-oauth-server!
+         {:port callback-port
+          :on-success (fn [{:keys [code]}]
+                        (let [{:keys [access-token refresh-token expires-at]} (oauth/authorize-token! oauth-info code)]
+                          (swap! db* assoc-in [:mcp-auth name] {:type :auth/oauth
+                                                                :url (:url server-config)
+                                                                :refresh-token refresh-token
+                                                                :access-token access-token
+                                                                :expires-at expires-at}))
+                        (oauth/stop-oauth-server! callback-port)
+                        (db/update-global-cache! @db* metrics)
+                        (initialize-server! name db* config metrics on-server-updated))
+          :on-error (fn [error]
+                      (oauth/stop-oauth-server! callback-port)
+                      (logger/error logger-tag error)
+                      (swap! db* assoc-in [:mcp-clients name :status] :failed)
+                      (on-server-updated (->server name server-config :failed @db*)))})
+        (browse/browse-url authorization-endpoint)))))
+
+(defn logout-server!
+  "Logout from an MCP server by clearing stored OAuth credentials and restarting it."
+  [name db* config metrics {:keys [on-server-updated]}]
+  (when (get-in config [:mcpServers name])
+    (swap! db* update :mcp-auth dissoc name)
+    (db/update-global-cache! @db* metrics)
+    (when (get-in @db* [:mcp-clients name :client])
+      (stop-server! name db* config {:on-server-updated on-server-updated}))
+    (future
+      (initialize-server! name db* config metrics on-server-updated))))
+
 (defn all-tools [db]
   (into []
         (mapcat (fn [[name {:keys [tools version]}]]
diff --git a/src/eca/handlers.clj b/src/eca/handlers.clj
@@ -203,6 +203,14 @@
   (metrics/task metrics :eca/mcp-start-server
     (f.tools/start-server! (:name params) db* messenger config metrics)))
 
+(defn mcp-connect-server [{:keys [db* messenger metrics config]} params]
+  (metrics/task metrics :eca/mcp-connect-server
+    (f.tools/connect-server! (:name params) db* messenger config metrics)))
+
+(defn mcp-logout-server [{:keys [db* messenger metrics config]} params]
+  (metrics/task metrics :eca/mcp-logout-server
+    (f.tools/logout-server! (:name params) db* messenger config metrics)))
+
 (defn ^:private update-agent-model-and-variants!
   "Updates the selected model and variants based on agent configuration."
   [agent-config config messenger db*]
diff --git a/src/eca/server.clj b/src/eca/server.clj
@@ -83,6 +83,12 @@
 (defmethod jsonrpc.server/receive-notification "mcp/startServer" [_ components params]
   (handlers/mcp-start-server (with-config components) params))
 
+(defmethod jsonrpc.server/receive-notification "mcp/connectServer" [_ components params]
+  (handlers/mcp-connect-server (with-config components) params))
+
+(defmethod jsonrpc.server/receive-notification "mcp/logoutServer" [_ components params]
+  (handlers/mcp-logout-server (with-config components) params))
+
 (defmethod jsonrpc.server/receive-notification "chat/selectedAgentChanged" [_ components params]
   (handlers/chat-selected-agent-changed (with-config components) params))
 
