Skip to content

vMCP session close fails auth: no identity in termination context #4573

Open
#4613
Open
vMCP session close fails auth: no identity in termination context#4573
#4613
Assignees
yrobla
Labels
authenticationbugSomething isn't workingkubernetesItems related to KubernetesscalabilityItems related to scalabilityvmcpVirtual MCP Server related issues
@jerm-dro

Description

@jerm-dro
jerm-dro
opened on Apr 6, 2026

Bug Report

Reported by: Gaston (external user) on Discord, observed on ToolHive operator v0.12.5

Description

When the vMCP session manager terminates a session, the close/DELETE request to backend MCP servers fails with:

ERROR: failed to send close request: Delete "http://mcp-playwright-proxy.mcp.svc.cluster.local:8080/mcp/": authentication failed for backend playwright: no identity found in context
ERROR: failed to send close request: Delete "http://mcp-fetch-proxy.mcp.svc.cluster.local:8080/mcp/": authentication failed for backend fetch: no identity found in context
ERROR: failed to send close request: Delete "http://mcp-mkp-proxy.mcp.svc.cluster.local:8080/mcp/": authentication failed for backend mkp: no identity found in context

These errors appear frequently in vMCP logs. While no visible functionality is broken, backend sessions are likely never properly closed, potentially leaking sessions on backend MCP servers.

Suspected Root Cause (Needs Confirmation)

Manager.Terminate() in pkg/vmcp/server/sessionmanager/session_manager.go appears to create a fresh context from context.Background() with no identity. This empty context would flow through the close chain to the authRoundTripper, where auth strategies (UpstreamInjectStrategy, TokenExchangeStrategy) call auth.IdentityFromContext(ctx) and fail because no identity was set.

Suspected call chain:

  1. Manager.Terminate()multiSess.Close() → per-backend conn.Close()
  2. mcpSession.Close()mcp-go SDK Client.Close() → sends HTTP DELETE
  3. authRoundTripper.RoundTrip()authStrategy.Authenticate(ctx, req, config)
  4. Auth strategy calls auth.IdentityFromContext(ctx)(nil, false) → error

This needs to be confirmed with reproduction and debugging before implementing a fix.

Impact

  • Backend MCP server sessions may not be properly closed
  • Potential session/resource leaks on backend servers at scale
  • Log noise from repeated errors

Related

  • Part of: stacklok/stacklok-epics#262 (Epic: Horizontal Scaling for vMCP)

🤖 Generated with Claude Code

Metadata

Metadata

Assignees

Labels

authenticationbugSomething isn't workingkubernetesItems related to KubernetesscalabilityItems related to scalabilityvmcpVirtual MCP Server related issues

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions