Skip to content

Save existing refresh_token in store if no new refresh_token is returned#483

Merged
pcarleton merged 1 commit intomodelcontextprotocol:mainfrom
fredericbarthelet:use-existing-refresh-token
May 21, 2025
Merged

Save existing refresh_token in store if no new refresh_token is returned#483
pcarleton merged 1 commit intomodelcontextprotocol:mainfrom
fredericbarthelet:use-existing-refresh-token

Conversation

@fredericbarthelet
Copy link
Copy Markdown
Contributor

@fredericbarthelet fredericbarthelet commented May 12, 2025
edited
Loading

As described in OAuth 2.1 specs on refresh token response, server MAY return a new refresh_token. In case it doesn't, current implementation discards initially obtained refresh_token even if it is still valid.

Motivation and Context

Ensure refresh_token can be used more than once to generate a new access_token

How Has This Been Tested?

Added a test case to auth.test.ts to simulate the case where no refresh_token is returned in response from /token request with refresh_token grant.

Breaking Changes

None

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

@fredericbarthelet
Save existing refresh_token in store if no new refresh_token is returned
4f55db9 
As described in https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#name-refresh-token-response,
server MAY return a new refresh_token. In case it doesn't, current implementation discard initial refresh
token if it was still valid.
@fredericbarthelet
Copy link
Copy Markdown
Contributor Author

fredericbarthelet commented May 20, 2025

Hi @ihrpr, sorry for the ping 🙇‍♂️
Any chance this could be merged sometime? Small change, but huge impact on all remote servers auth session duration :)
Thanks for your help!

@ihrpr ihrpr added this to the HPR milestone May 21, 2025
pcarleton
pcarleton approved these changes May 21, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@pcarleton pcarleton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks for this.

I was wondering if we could do this at the callsite instead of in the function itself, but I think that's messier. One concern would be if the refresh token was consumed, and we're keeping around a stale one, but I think stale refresh token handling more generally should handle this.

@pcarleton pcarleton merged commit 281cf0b into modelcontextprotocol:main May 21, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pcarleton pcarleton pcarleton approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

HPR

Development

Successfully merging this pull request may close these issues.

3 participants

@fredericbarthelet @pcarleton @ihrpr