Fix MCP Authentication - Auto-evict invalid clients and trigger re-registration

[Copilot]

Problem

When an MCP server restarts and loses client information, VS Code continues using the stored client ID for authentication requests. The server returns an invalid_client OAuth error because the client no longer exists, but VS Code retains the invalid client indefinitely with no way to automatically recover. Users must manually clean global storage to resolve the issue.

Solution

This PR implements proper handling of invalid_client OAuth errors per RFC 6749 section 5.2, automatically evicting invalid clients and triggering Dynamic Client Registration when needed.

Key Changes

1. Enhanced OAuth Error Detection

   • Added isAuthorizationTokenErrorResponse() type guard for proper error parsing
   • All token exchange methods now detect invalid_client errors specifically

2. Comprehensive Error Handling

   • Authorization Code Flow: exchangeCodeForToken() detects invalid client during initial auth
   • Refresh Token Flow: exchangeRefreshTokenForToken() detects invalid client during token refresh
   • Device Code Flow: Device polling detects invalid client during device authentication
   • Session Management: Both getSessions() and createSession() handle invalid client scenarios

3. Client Eviction Flow

   • Added InvalidClientError class to carry OAuth error details through the system
   • New $invalidateClient() protocol method signals client invalidity to main thread
   • Main thread automatically removes stored client data and unregisters the provider
   • Next authentication attempt triggers new Dynamic Client Registration

Example Flow

// Before: Invalid client retained indefinitely
1. MCP server restarts → loses client info
2. VS Code uses stored client ID
3. Server returns 400 invalid_client error  
4. VS Code logs error but keeps using invalid client ❌
5. User must manually clean storage

// After: Automatic recovery
1. MCP server restarts → loses client info  
2. VS Code uses stored client ID
3. Server returns 400 invalid_client error
4. VS Code detects invalid_client, removes stored data ✅
5. Next auth request triggers new client registration automatically ✅

Testing

• Added comprehensive unit tests for isAuthorizationTokenErrorResponse type guard
• Tests cover valid/invalid error responses and edge cases
• Existing authentication integration tests continue to pass

This ensures VS Code gracefully handles "registration lost" scenarios in OAuth flows, eliminating the need for manual storage cleanup.

Fixes #250960.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• electronjs.org
  • Triggering command: node-gyp (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.