feat: add refresh_token grant support to OAuth proxy#1688
Open
feat: add refresh_token grant support to OAuth proxy#1688
Conversation
MCP clients can now refresh their proxy-issued tokens via grant_type=refresh_token, receiving a rotated access/refresh pair. Well-known metadata advertises the new grant type. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
4 tasks
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
Collaborator
🚀 Preview Environment (PR #1688)Preview URL: https://pr-1688.dev.getgram.ai
Gram Preview Bot |
qstearns
added a commit
that referenced
this pull request
Mar 5, 2026
## Summary - When an MCP client presents a valid proxy token whose upstream credentials have expired, the server now automatically attempts to refresh them via the upstream provider's token endpoint - Captures and encrypts upstream refresh tokens during the initial OAuth token exchange - Stacked on #1688 Fixes [AGE-1402](https://linear.app/speakeasy/issue/AGE-1402/bug-external-oauth-mcp-servers-log-users-out-no-token-refresh) ## Changes - **providers/provider.go**: Add `RefreshToken` to `TokenExchangeResult`, add `RefreshToken` method to `Provider` interface - **providers/custom.go**: Capture `refresh_token` from upstream response, implement `RefreshToken` method (posts `grant_type=refresh_token` to upstream) - **providers/gram.go**: Stub `RefreshToken` (not supported for Gram provider) - **storage.go**: Add `RefreshToken` field to `ExternalSecret` - **grant_manager.go**: Accept, store, and encrypt upstream refresh tokens in grants - **token_service.go**: Add `ErrExpiredExternalSecrets`, `ErrNoUpstreamRefreshToken` sentinels; `ValidateAccessToken` returns token + error on expired external secrets (instead of deleting); add `RefreshExternalSecrets` method; encrypt/decrypt `ExternalSecret.RefreshToken` - **impl.go** (oauth): Pass upstream refresh token through callback flow, add `RefreshProxyToken` method - **mcp/oauth_service.go**: Add `RefreshProxyToken` to `OAuthService` interface - **mcp/impl.go**: Catch `ErrExpiredExternalSecrets` in custom provider auth path, attempt upstream refresh before failing ## Test plan - [ ] Existing tests pass - [ ] Custom OAuth provider returns refresh_token → stored and encrypted in ExternalSecrets - [ ] When upstream access token expires, proxy transparently refreshes it on next MCP request - [ ] When upstream refresh also fails, client gets 401 as expected 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- devin-review-badge-begin --> --- <a href="https://app.devin.ai/review/speakeasy-api/gram/pull/1689" target="_blank"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1"> <img src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1" alt="Open with Devin"> </picture> </a> <!-- devin-review-badge-end --> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
refresh_tokengrant type to the OAuth proxy token endpoint (/oauth/{mcpSlug}/token)refresh_tokengrant support alongsideauthorization_codeFixes AGE-1402
Changes
ExchangeAuthorizationCode, addExchangeRefreshTokenmethod with full token rotation (old token deleted, new pair issued)RefreshTokenfield toTokenstruct,RefreshTokenCacheKeyhelper,AdditionalCacheKeysreturns refresh token key for dual-key lookupRefreshTokentoTokenRequestandTokenResponserefresh_tokenfrom form values, addcase "refresh_token"tohandleToken["authorization_code", "refresh_token"]inGrantTypesSupportedTest plan
refresh_tokenPOST grant_type=refresh_token&refresh_token=...&client_id=...returns new token pair🤖 Generated with Claude Code