adaptOAuthProvider returns expired tokens without checking expiry, breaking long-running StreamableHTTP connections

[daksh-goyal]

Describe the bug
adaptOAuthProvider() in auth.ts does not check token expiry before returning the access token. The token: adapter calls provider.tokens() and returns access_token regardless of whether it has expired. OAuthClientProvider.tokens() calculates expires_in: Math.max(0, expiresAt - now), so expired tokens come back with expires_in: 0 and are sent to the server as-is.

The refresh logic in auth() (which checks token validity and attempts refresh) only runs via onUnauthorized when the server returns HTTP 401. However, many MCP servers — particularly those acting as proxies to upstream APIs (see #1294) — wrap upstream auth errors in HTTP 200 JSON-RPC responses rather than returning 401. In these cases, the expired token causes a server-side failure that is never surfaced as a 401, so the client's retry/refresh path never fires.

To Reproduce
Steps to reproduce the behavior:

1. Connect to an HTTP MCP server using StreamableHTTPClientTransport with OAuth
2. Authenticate successfully — connection works
3. Wait for the access token to expire
4. Make a tool call through the MCP connection
5. Request fails — expired token is sent, server uses it against an upstream API, upstream rejects it, error is wrapped in a 200 JSON-RPC response
6. Only recovery is manual re-authentication or process restart

Expected behavior
adaptOAuthProvider().token() should check expires_in before returning the access token. If the token is expired or near-expiry (≤60 seconds remaining, matching the buffer already used in hasValidTokens()), it should return undefined so the transport sends the request without an Authorization header, triggering a 401 from the server, which invokes onUnauthorized → auth() → refresh flow.

Suggested Fix

packages/client/src/client/auth.ts:

 // Current:
 export function adaptOAuthProvider(provider: OAuthClientProvider): AuthProvider {
     return {
         token: async () => {
             const tokens = await provider.tokens();
             return tokens?.access_token;
         },
         onUnauthorized: async ctx => handleOAuthUnauthorized(provider, ctx)
     };
 }
 
 // Fixed — check expiry before returning:
 export function adaptOAuthProvider(provider: OAuthClientProvider): AuthProvider {
     return {
         token: async () => {
             const tokens = await provider.tokens();
             if (!tokens?.access_token) return undefined;
             if (tokens.expires_in !== undefined && tokens.expires_in <= 60) {
                 return undefined;
             }
             return tokens.access_token;
         },
         onUnauthorized: async ctx => handleOAuthUnauthorized(provider, ctx)
     };
 }

Note: the 60-second buffer matches the existing hasValidTokens() logic which uses the same hardcoded value.

Logs

 # Successful OAuth connection:
 21:02:21.240Z [ERROR] MCP client for [Redacted] connected, took 97ms
 21:02:21.241Z [ERROR] Started MCP client for remote server [Redacted] with OAuth
 
 # 1h42m later, expired token sent:
 22:44:53.036Z [ERROR] MCP client for [Redacted] errored [Redacted]: The resource parameter provided in the request doesn't match with the requested scopes.

[mcp-claude]

bug confirmed on both main and v1.x. adaptOAuthProvider().token() returns the access token with no expiry check; expired tokens are sent to the server indefinitely on connections where the server returns 200 JSON-RPC errors instead of HTTP 401, so the onUnauthorized refresh path never fires.

the proposed fix (expires_in <= 60) only works for custom provider implementations that recompute expires_in as remaining seconds. the sdk's own providers (InMemoryOAuthClientProvider, ClientCredentialsProvider) store the raw expires_in from the server response (e.g. 3600) and never update it, so checking expires_in <= 60 at call time will never detect a token that was issued an hour ago with expires_in: 3600.

a correct fix needs two changes:

1. record issuedAt (unix seconds) alongside the token when saveTokens() is called — either in OAuthTokens or in adaptOAuthProvider via closure
2. in adaptOAuthProvider().token(), check Date.now() / 1000 >= issuedAt + (expires_in ?? Infinity) - 60 before returning

repro script (repro.mjs, run with node repro.mjs)

// replicates exact logic from packages/client/src/client/auth.ts:122-130
function adaptOAuthProvider_current(provider) {
    return {
        token: async () => {
            const tokens = await provider.tokens();
            return tokens?.access_token;
        },
    };
}

function makeProvider(tokens) {
    return { tokens: () => tokens };
}

async function main() {
    const cases = [
        { label: 'expires_in=0 (fully expired)', tokens: { access_token: 'expired-token', token_type: 'Bearer', expires_in: 0, refresh_token: 'rt' }, expectUndefined: true },
        { label: 'expires_in=30 (within 60s buffer)', tokens: { access_token: 'near-expiry-token', token_type: 'Bearer', expires_in: 30, refresh_token: 'rt' }, expectUndefined: true },
        { label: 'expires_in=3600 (valid)', tokens: { access_token: 'valid-token', token_type: 'Bearer', expires_in: 3600 }, expectUndefined: false },
        { label: 'no tokens', tokens: undefined, expectUndefined: true },
    ];
    for (const { label, tokens, expectUndefined } of cases) {
        const adapted = adaptOAuthProvider_current(makeProvider(tokens));
        const result = await adapted.token();
        const isBug = expectUndefined && result !== undefined;
        console.log(`${label}: result=${JSON.stringify(result)} ${isBug ? 'FAIL — BUG' : 'ok'}`);
    }
}
main();

command + output

$ node repro.mjs

Test: expires_in=0 (fully expired)
  result:   "expired-token"
  expected: undefined
  status:   FAIL — BUG CONFIRMED

Test: expires_in=30 (within 60s buffer used by hasValidTokens)
  result:   "near-expiry-token"
  expected: undefined
  status:   FAIL — BUG CONFIRMED

Test: expires_in=3600 (valid)
  result:   "valid-token"
  expected: "valid-token"
  status:   ok

Test: no tokens stored
  result:   undefined
  expected: undefined
  status:   ok

code path

• packages/client/src/client/auth.ts:124-127 — adaptOAuthProvider().token() no expiry check
• packages/client/src/client/streamableHttp.ts:199 — uses adaptOAuthProvider for all requests
• packages/client/src/client/sse.ts:93 — same
• v1.x: src/client/middleware.ts:44-47 — same pattern, provider.tokens() used without expiry check

proposed fix flaw: InMemoryOAuthClientProvider.tokens() returns stored raw OAuthTokens with expires_in: 3600 unchanged over time. checking expires_in <= 60 at use-time would return false even for a 1-hour-old token — the fix would only work for custom providers that recompute remaining seconds dynamically.

[daksh-goyal]

hm, I see the gap with my fix. But the fix proposed by the bot seems rather intrusive considering the definition of the OAuthTokens interface lives in @modelcontextprotocol/core. An alternative solution could be to do some monkey-patching in the adapter closure itself. Something like:

 export function adaptOAuthProvider(provider: OAuthClientProvider): AuthProvider {
     let issuedAt: number | undefined;
 
     const originalSaveTokens = provider.saveTokens.bind(provider);
     provider.saveTokens = async (tokens: OAuthTokens) => {
         issuedAt = Math.floor(Date.now() / 1000);
         return originalSaveTokens(tokens);
     };
 
     return {
         token: async () => {
             const tokens = await provider.tokens();
             if (!tokens?.access_token) return;
             if (tokens.expires_in !== undefined && issuedAt !== undefined) {
                 const elapsed = Math.floor(Date.now() / 1000) - issuedAt;
                 if (elapsed >= tokens.expires_in - 60) return;
             }
             return tokens.access_token;
         },
         onUnauthorized: async ctx => handleOAuthUnauthorized(provider, ctx)
     };
 }

Let me know what is preferred here. Also, @felixweinberger is there an automated workflow to backport the fix to v1.x or would I have to manually create a separate pull request for that?