From d27e3d32674bb544b1560d03f0b5e792b2027b6f Mon Sep 17 00:00:00 2001 From: Matt Filbert Date: Wed, 6 May 2026 14:32:19 -0700 Subject: [PATCH 1/3] @W-22047062: reset consent and revoke access doc updates --- docs/docs/configuration/mcp-config/oauth.md | 5 ++ docs/docs/tools/oauth-cleanup-tools.md | 74 +++++++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 docs/docs/tools/oauth-cleanup-tools.md diff --git a/docs/docs/configuration/mcp-config/oauth.md b/docs/docs/configuration/mcp-config/oauth.md index 8d6eede7d..5ac2d50be 100644 --- a/docs/docs/configuration/mcp-config/oauth.md +++ b/docs/docs/configuration/mcp-config/oauth.md @@ -511,3 +511,8 @@ The MCP server supports three OAuth 2.1 grant types: - `/Callback`: OAuth callback handler (authorization code only) - `/oauth2/token`: Token exchange and refresh (all grant types) - `/oauth2/revoke`: Token revocation + +For MCP client-facing OAuth cleanup tools, see +[OAuth Cleanup Tools](../../tools/oauth-cleanup-tools.md). For full cleanup, call +[`reset-consent`](../../tools/oauth-cleanup-tools.md#reset-consent) before +[`revoke-access-token`](../../tools/oauth-cleanup-tools.md#revoke-access-token). diff --git a/docs/docs/tools/oauth-cleanup-tools.md b/docs/docs/tools/oauth-cleanup-tools.md new file mode 100644 index 000000000..70395adb5 --- /dev/null +++ b/docs/docs/tools/oauth-cleanup-tools.md @@ -0,0 +1,74 @@ +--- +sidebar_position: 6 +--- + +# OAuth Cleanup Tools + +Use these tools when an MCP client or orchestration layer needs to clean up OAuth state for the +current session. Both tools require no input and operate on the authentication context already +associated with the MCP request. Raw access tokens, refresh tokens, JWE tokens, and bearer values are +never exposed to the model. + +For full OAuth cleanup, call [`reset-consent`](#reset-consent) before +[`revoke-access-token`](#revoke-access-token). `reset-consent` needs the current valid bearer token; +revoking the token first invalidates the credential needed to reset consent. + +## `reset-consent` + +Resets saved OAuth consent for the current user on the Tableau authorization server. + +Use `reset-consent` when you need to clear previously granted OAuth consent so the next OAuth +authorization flow prompts the user for consent again. The current MCP session remains valid after +the tool succeeds. + +### Arguments + +This tool requires no input. + +### Supported auth modes + +- **Bearer authentication with Tableau authorization server mode**: supported. The tool calls + `/oauth2/resetConsent` on the configured OAuth issuer using the current bearer token. + +### Unsupported modes and limitations + +- **Embedded authorization server mode**: disabled. The embedded authorization server does not use + the same consent model. +- **Passthrough authentication and other non-Bearer auth modes**: not supported. Session credentials + are managed externally. + +### Side effects + +The current session remains valid, but the next OAuth authorization flow re-prompts the user for +consent. + +## `revoke-access-token` + +Revokes the access token used to authenticate the current MCP session. + +Use `revoke-access-token` when signing a user out of the MCP session, revoking access after +suspicious activity, or performing clean session teardown from an MCP client or orchestration layer. + +### Arguments + +This tool requires no input. + +### Supported auth modes + +- **Bearer authentication with Tableau authorization server mode**: supported. The tool submits the + current Tableau access token to the issuer's `/oauth2/revoke` endpoint. +- **X-Tableau-Auth in embedded authorization server mode**: supported. The tool submits the current + MCP JWE access token to the embedded revocation endpoint, which handles Tableau signout and refresh + token cleanup. + +### Unsupported modes and limitations + +- **Passthrough authentication**: not supported. Session credentials are managed externally. +- Revocation can fail if the authorization server rejects the request, or if the token is already + expired or invalid. + +### Side effects + +The current session or token is revoked. Subsequent Tableau API calls in the same session may fail. +After calling this tool, clients should disconnect from the MCP server and reconnect if they need a +new authenticated session. From caba3a16fa9e035a97a9a19367d63724ad363bb3 Mon Sep 17 00:00:00 2001 From: Matt Filbert Date: Thu, 7 May 2026 20:25:52 -0700 Subject: [PATCH 2/3] revising docs to match convo with george --- docs/docs/configuration/mcp-config/oauth.md | 8 +- docs/docs/tools/oauth-cleanup-tools.md | 74 ------------------- .../tools/token-management/_category_.json | 8 ++ .../tools/token-management/reset-consent.md | 38 ++++++++++ .../token-management/revoke-access-token.md | 39 ++++++++++ 5 files changed, 89 insertions(+), 78 deletions(-) delete mode 100644 docs/docs/tools/oauth-cleanup-tools.md create mode 100644 docs/docs/tools/token-management/_category_.json create mode 100644 docs/docs/tools/token-management/reset-consent.md create mode 100644 docs/docs/tools/token-management/revoke-access-token.md diff --git a/docs/docs/configuration/mcp-config/oauth.md b/docs/docs/configuration/mcp-config/oauth.md index 5ac2d50be..abf669a9f 100644 --- a/docs/docs/configuration/mcp-config/oauth.md +++ b/docs/docs/configuration/mcp-config/oauth.md @@ -512,7 +512,7 @@ The MCP server supports three OAuth 2.1 grant types: - `/oauth2/token`: Token exchange and refresh (all grant types) - `/oauth2/revoke`: Token revocation -For MCP client-facing OAuth cleanup tools, see -[OAuth Cleanup Tools](../../tools/oauth-cleanup-tools.md). For full cleanup, call -[`reset-consent`](../../tools/oauth-cleanup-tools.md#reset-consent) before -[`revoke-access-token`](../../tools/oauth-cleanup-tools.md#revoke-access-token). +For MCP client-facing token and consent cleanup, see the +[`reset-consent`](../../tools/token-management/reset-consent.md) and +[`revoke-access-token`](../../tools/token-management/revoke-access-token.md) tools. For full cleanup, +call `reset-consent` before `revoke-access-token`. diff --git a/docs/docs/tools/oauth-cleanup-tools.md b/docs/docs/tools/oauth-cleanup-tools.md deleted file mode 100644 index 70395adb5..000000000 --- a/docs/docs/tools/oauth-cleanup-tools.md +++ /dev/null @@ -1,74 +0,0 @@ ---- -sidebar_position: 6 ---- - -# OAuth Cleanup Tools - -Use these tools when an MCP client or orchestration layer needs to clean up OAuth state for the -current session. Both tools require no input and operate on the authentication context already -associated with the MCP request. Raw access tokens, refresh tokens, JWE tokens, and bearer values are -never exposed to the model. - -For full OAuth cleanup, call [`reset-consent`](#reset-consent) before -[`revoke-access-token`](#revoke-access-token). `reset-consent` needs the current valid bearer token; -revoking the token first invalidates the credential needed to reset consent. - -## `reset-consent` - -Resets saved OAuth consent for the current user on the Tableau authorization server. - -Use `reset-consent` when you need to clear previously granted OAuth consent so the next OAuth -authorization flow prompts the user for consent again. The current MCP session remains valid after -the tool succeeds. - -### Arguments - -This tool requires no input. - -### Supported auth modes - -- **Bearer authentication with Tableau authorization server mode**: supported. The tool calls - `/oauth2/resetConsent` on the configured OAuth issuer using the current bearer token. - -### Unsupported modes and limitations - -- **Embedded authorization server mode**: disabled. The embedded authorization server does not use - the same consent model. -- **Passthrough authentication and other non-Bearer auth modes**: not supported. Session credentials - are managed externally. - -### Side effects - -The current session remains valid, but the next OAuth authorization flow re-prompts the user for -consent. - -## `revoke-access-token` - -Revokes the access token used to authenticate the current MCP session. - -Use `revoke-access-token` when signing a user out of the MCP session, revoking access after -suspicious activity, or performing clean session teardown from an MCP client or orchestration layer. - -### Arguments - -This tool requires no input. - -### Supported auth modes - -- **Bearer authentication with Tableau authorization server mode**: supported. The tool submits the - current Tableau access token to the issuer's `/oauth2/revoke` endpoint. -- **X-Tableau-Auth in embedded authorization server mode**: supported. The tool submits the current - MCP JWE access token to the embedded revocation endpoint, which handles Tableau signout and refresh - token cleanup. - -### Unsupported modes and limitations - -- **Passthrough authentication**: not supported. Session credentials are managed externally. -- Revocation can fail if the authorization server rejects the request, or if the token is already - expired or invalid. - -### Side effects - -The current session or token is revoked. Subsequent Tableau API calls in the same session may fail. -After calling this tool, clients should disconnect from the MCP server and reconnect if they need a -new authenticated session. diff --git a/docs/docs/tools/token-management/_category_.json b/docs/docs/tools/token-management/_category_.json new file mode 100644 index 000000000..7c0ca7a95 --- /dev/null +++ b/docs/docs/tools/token-management/_category_.json @@ -0,0 +1,8 @@ +{ + "label": "Token Management", + "position": 6, + "link": { + "type": "generated-index", + "description": "Tools for managing OAuth token and consent state for the current MCP session." + } +} diff --git a/docs/docs/tools/token-management/reset-consent.md b/docs/docs/tools/token-management/reset-consent.md new file mode 100644 index 000000000..b3f76a945 --- /dev/null +++ b/docs/docs/tools/token-management/reset-consent.md @@ -0,0 +1,38 @@ +--- +sidebar_position: 1 +--- + +# Reset Consent + +Resets saved OAuth consent for the current user on the Tableau authorization server. + +Use `reset-consent` when you need to clear previously granted OAuth consent so the next OAuth +authorization flow prompts the user for consent again. This is the canonical documentation page to +link to when a consent experience needs to tell users how to reset previously granted access for MCP. + +For full OAuth cleanup, call `reset-consent` before +[`revoke-access-token`](revoke-access-token.md). `reset-consent` needs the current valid bearer token; +revoking the token first invalidates the credential needed to reset consent. + +## Arguments + +This tool requires no input. It operates on the authentication context already associated with the +MCP request. Raw access tokens, refresh tokens, JWE tokens, and bearer values are never exposed to +the model. + +## Supported Auth Modes + +- **Bearer authentication with Tableau authorization server mode**: supported. The tool calls + `/oauth2/resetConsent` on the configured OAuth issuer using the current bearer token. + +## Unsupported Modes And Limitations + +- **Embedded authorization server mode**: disabled. The embedded authorization server does not use + the same consent model. +- **Passthrough authentication and other non-Bearer auth modes**: not supported. Session credentials + are managed externally. + +## Side Effects + +The current session remains valid, but the next OAuth authorization flow re-prompts the user for +consent. diff --git a/docs/docs/tools/token-management/revoke-access-token.md b/docs/docs/tools/token-management/revoke-access-token.md new file mode 100644 index 000000000..0589aac8d --- /dev/null +++ b/docs/docs/tools/token-management/revoke-access-token.md @@ -0,0 +1,39 @@ +--- +sidebar_position: 2 +--- + +# Revoke Access Token + +Revokes the access token used to authenticate the current MCP session. + +Use `revoke-access-token` when signing a user out of the MCP session, revoking access after +suspicious activity, or performing clean session teardown from an MCP client or orchestration layer. + +For full OAuth cleanup, call [`reset-consent`](reset-consent.md) before `revoke-access-token`. +Revocation invalidates the token required to authenticate the consent reset request. + +## Arguments + +This tool requires no input. It operates on the authentication context already associated with the +MCP request. Raw access tokens, refresh tokens, JWE tokens, and bearer values are never exposed to +the model. + +## Supported Auth Modes + +- **Bearer authentication with Tableau authorization server mode**: supported. The tool submits the + current Tableau access token to the issuer's `/oauth2/revoke` endpoint. +- **X-Tableau-Auth in embedded authorization server mode**: supported. The tool submits the current + MCP JWE access token to the embedded revocation endpoint, which handles Tableau signout and refresh + token cleanup. + +## Unsupported Modes And Limitations + +- **Passthrough authentication**: not supported. Session credentials are managed externally. +- Revocation can fail if the authorization server rejects the request, or if the token is already + expired or invalid. + +## Side Effects + +The current session or token is revoked. Subsequent Tableau API calls in the same session may fail. +After calling this tool, clients should disconnect from the MCP server and reconnect if they need a +new authenticated session. From ce8ecbc773a99f88f678a4fc754e77dd45b9ae6f Mon Sep 17 00:00:00 2001 From: Matt Filbert Date: Wed, 20 May 2026 16:30:02 -0600 Subject: [PATCH 3/3] ordering update --- docs/docs/tools/token-management/_category_.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/tools/token-management/_category_.json b/docs/docs/tools/token-management/_category_.json index 7c0ca7a95..faf4d2aac 100644 --- a/docs/docs/tools/token-management/_category_.json +++ b/docs/docs/tools/token-management/_category_.json @@ -1,6 +1,6 @@ { "label": "Token Management", - "position": 6, + "position": 7, "link": { "type": "generated-index", "description": "Tools for managing OAuth token and consent state for the current MCP session."