Major AI Clients Improve but Still Ship with Broken OAuth Implementations as of June 2026

The MCP authorization specification (November 2025) requires OAuth 2.1 with PKCE for remote MCP servers, which depends on MCP clients implementing the OAuth refresh_token grant. As of June 2026, progress has been made since an earlier April survey, with Gemini CLI now fully supporting the standard. Several other major AI clients have also upgraded from 'not implemented' to partial support.