Client side oauth token refresh

[djoreilly]

Pre-submission Checklist

• I have checked that this question would not be more appropriate as an issue in a specific repository
• I have searched existing discussions and documentation for answers

Question Category

• Protocol Specification
• SDK Usage
• Server Implementation
• General Implementation
• Documentation
• Other

Your Question

I'm playing with the new client side oauth support from #785
and my client example is based on https://github.com/modelcontextprotocol/go-sdk/blob/main/examples/auth/client/main.go but keeps a connection to the mcp server open. It works until after the token expires and then get this:

Error: failed to list tools: calling "tools/list": sending "tools/list": rejected by transport: oauth2: "invalid_grant" "Token is not active"

It says here that the token should be automatically refreshed

go-sdk/docs/protocol.md

Line 356 in 4cdbaaf

The `auth.AuthorizationCodeHandler` automatically manages token refreshing

I skimmed the PR and don't see where that's implemented. Is there some extra config needed?

[maciej-kisiel]

Hi @djoreilly, thanks for asking.

We're using oauth2.Config.TokenSource here which is documented to refresh the token when current one expires. Could you confirm that the token returned from your Authorization Server contains:

1. The refresh_token
2. Expiry for the access token

If so, it would be good to check if the library even tries to execute the refresh calls, e.g. by adding some debug prints inside https://cs.opensource.google/go/x/oauth2/+/refs/tags/v0.36.0:oauth2.go;l=274.

[djoreilly]

Thanks for the pointers.

Yes, running tcpflow on the Keycloak port shows the access token has an expiry (10 min as set in keycloak) and there is a refresh token too.

{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhSk9HcjlIaUIxLWdwWUJ2QXEwVno2RXNzbVQ1eEFIYXhVRGdBc0VhS0dNIn0.eyJleHAiOjE3NzMyMjgxMjQsImlhdCI6MTc3MzIyNzUyNCwiYXV0aF90aW1lIjoxNzczMjI3NTI0LCJqdGkiOiJvbnJ0YWM6OTgxNDdlM2ItODJkNi00NzAwLWE2MmQtOGU0NWIwOTY1MzEwIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDkwL3JlYWxtcy9tY3AtcmVhbG0iLCJhdWQiOiJlY2hvLW1jcC1zZXJ2ZXIiLCJzdWIiOiIzYjE5ZGE4My00Zjc5LTRkZTAtYmU5Ni1kZjA5Y2FjOWRhZjkiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJtY3AtdGVzdC1jbGllbnQiLCJzaWQiOiI2NWQwZjBjYS1iMjJiLWVjOTItMTcxNC0yNjMzMzkzMDQyOGIiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbIioiXSwicmVzb3VyY2VfYWNjZXNzIjp7ImVjaG8tbWNwLXNlcnZlciI6eyJyb2xlcyI6WyJ0b29scy13cml0ZSIsInRvb2xzLXJlYWQiXX19LCJzY29wZSI6Im1jcDp0b29sczp3cml0ZSBtY3A6dG9vbHM6cmVhZCBlbWFpbCBwcm9maWxlIGVjaG8tbWNwLXNlcnZlci1hdWRpZW5jZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoiTUNQIEFkbWluIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibWNwLWFkbWluIiwiZ2l2ZW5fbmFtZSI6Ik1DUCIsImZhbWlseV9uYW1lIjoiQWRtaW4iLCJlbWFpbCI6ImFkbWluQG1jcC5leGFtcGxlLmNvbSJ9.c_yPOWArD7lCupqFXCMt-1dZLrNqgxt1tmT3XZpMyxpZpDTlN4JWHDe9o69_aUpeufgGFeZL7SGstXvCEMnI_g_SdT_zruiRLbMoTZ6bH408-SQ_T8oJMPKObhnBXlt-9h9NnLcazOFzvzBm48uzoglNA-9wSei2ziwfAl3ZI3DoVpsJtN-jgutmU0bOA7E6dRlvtEiqxz7BKBM_qkDhs22gJLEYJqDkh0CYUCPgo2AOTznPpNa_N5ig3gEoE76tyTXjgcrh0WLcs8FIcIywFzKhDfX_d0th9fcBwWRbD3hBL7tMfnt14bf5bnCY2h-wYlON74M2qHga5tyWcweVIQ","expires_in":600,"refresh_expires_in":3600,"refresh_token":"eyJhbGciOiJIUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIwOGFiNmNkYi1jZTRlLTQ2YjktODYzOC1lMDliNzI4Y2M0NGQifQ.eyJleHAiOjE3NzMyMzExMjQsImlhdCI6MTc3MzIyNzUyNCwianRpIjoiYWFhNTg1YzMtNDc5Zi1hNWEzLWQ2YjktNzg5ZDliMDQwM2EwIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDkwL3JlYWxtcy9tY3AtcmVhbG0iLCJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjgwOTAvcmVhbG1zL21jcC1yZWFsbSIsInN1YiI6IjNiMTlkYTgzLTRmNzktNGRlMC1iZTk2LWRmMDljYWM5ZGFmOSIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJtY3AtdGVzdC1jbGllbnQiLCJzaWQiOiI2NWQwZjBjYS1iMjJiLWVjOTItMTcxNC0yNjMzMzkzMDQyOGIiLCJzY29wZSI6ImFjciBtY3A6dG9vbHM6d3JpdGUgYmFzaWMgcm9sZXMgbWNwOnRvb2xzOnJlYWQgd2ViLW9yaWdpbnMgZW1haWwgcHJvZmlsZSBlY2hvLW1jcC1zZXJ2ZXItYXVkaWVuY2UifQ.j_aPrYz_Zg-KxkUFrTdPjgKK8x2m8h2UdMYaWavznNuSd9T_7HK6Q7Z_lzInWqaep6QqZwEre4ddi8e2YkRTYg","token_type":"Bearer","not-before-policy":0,"session_state":"65d0f0ca-b22b-ec92-1714-26333930428b","scope":"mcp:tools:write mcp:tools:read email profile echo-mcp-server-audience"}

I'll add some debug to the oauth2 refresh code.

[djoreilly]

Refresh is working now - the problem was with the keycloak config. The access token expiry was 3600s (set by a setup script, probably not a keycloak default), but 3600s is the same as the refresh token expiry, so I guess the refresh token is invalid when it comes time to use it. After I reduced the access token expiry to 600s I'm seeing the access tokens getting refreshed.

[maciej-kisiel]

Thanks for confirming, I'm glad it works as expected.