Does this issue occur when all extensions are disabled?: Yes/No
- VS Code Version: 1.102.3 (Universal)
- OS Version: 15.6 (24G84) Mac
Issue Description
VS Code is failing to exchange the authorization code for an access token when using OAuth with PKCE flow for MCP (Model Context Protocol) dynamic client registration. The token exchange request is missing the client_secret parameter.
Expected Behavior
VS Code should successfully exchange the authorization code for an access token using OAuth PKCE flow.
Actual Behavior
VS Code's OAuth implementation is not including the client_secret in the token exchange request, causing the exchange to fail with authentication errors.
Root Cause Analysis
This creates a contradiction in OAuth flow expectations:
- PKCE standard (RFC 7636): Client secret should not be required since PKCE is designed for public clients
- Current server behavior: Appears to require
client_secret even when PKCE parameters are present
- VS Code implementation: Correctly omits
client_secret per PKCE standards
Technical Context
According to OAuth 2.0 RFC 7636 (PKCE), PKCE was designed to mitigate authorization code interception attacks for public clients
The security is provided by:
code_challenge (SHA256 hash) sent with authorization requestcode_verifier (original random string) sent with token exchange- Server validates that SHA256(code_verifier) == code_challenge
Questions for Clarification
-
Should the MCP OAuth server support PKCE without client secrets?
- This would align with OAuth 2.0 standards for public clients
- VS Code as a desktop application fits the public client profile
-
Is there a configuration option to enable PKCE-only authentication?
- Allow token exchange with just
code_verifier validation
- Skip
client_secret requirement when PKCE parameters are present
-
Should VS Code's MCP implementation be updated to include client secrets?
- This would require secure storage of secrets in VS Code
- May not align with public client security model
Proposed Solutions
- Server-side: Update OAuth server to accept PKCE-only token exchanges
- Client-side: Modify VS Code MCP extension to include client secret if required
- Configuration: Add server option to toggle PKCE vs secret-based validation
Additional Context
This issue affects the dynamic client registration flow for MCP servers that use OAuth for authentication, preventing proper integration with VS Code's MCP extension.
Does this issue occur when all extensions are disabled?: Yes/No
Issue Description
VS Code is failing to exchange the authorization code for an access token when using OAuth with PKCE flow for MCP (Model Context Protocol) dynamic client registration. The token exchange request is missing the
client_secretparameter.Expected Behavior
VS Code should successfully exchange the authorization code for an access token using OAuth PKCE flow.
Actual Behavior
VS Code's OAuth implementation is not including the
client_secretin the token exchange request, causing the exchange to fail with authentication errors.Root Cause Analysis
This creates a contradiction in OAuth flow expectations:
client_secreteven when PKCE parameters are presentclient_secretper PKCE standardsTechnical Context
According to OAuth 2.0 RFC 7636 (PKCE), PKCE was designed to mitigate authorization code interception attacks for public clients
The security is provided by:
code_challenge(SHA256 hash) sent with authorization requestcode_verifier(original random string) sent with token exchangeQuestions for Clarification
Should the MCP OAuth server support PKCE without client secrets?
Is there a configuration option to enable PKCE-only authentication?
code_verifiervalidationclient_secretrequirement when PKCE parameters are presentShould VS Code's MCP implementation be updated to include client secrets?
Proposed Solutions
Additional Context
This issue affects the dynamic client registration flow for MCP servers that use OAuth for authentication, preventing proper integration with VS Code's MCP extension.