Major AI Clients Shipping With Broken OAuth Implementations

The majority of widely used AI clients like: Claude Code Claude Desktop Cursor LibreChat Amazon Q CLI have not implemented the critical refresh-token flow of the OAuth standard. This is forcing developers to issue long lived tokens creating a serious security regression in an already solved problem. This write up includes a matrix table of 14 major clients with notes linking to feature requests, pull requests, and multiple forum discussions. It is not all gloom and doom though! There is a work-around solution that security conscious users are using as a stop-gap also discussed, along with a best practices guide for developers implementing their own MCP OAuth Solution. The plan is to update this reference on a monthly basis to track if there is any movement on this open requests. submitted by /u/mhat [link] [comments]Technical Information Security Content & DiscussionRead More