-
Notifications
You must be signed in to change notification settings - Fork 139
[Client] Implement refresh_token grant + offline_access scope #323
Copy link
Copy link
Open
Labels
ClientIssues & PRs related to the Client componentIssues & PRs related to the Client componentP1Significant bug affecting many users, highly requested featureSignificant bug affecting many users, highly requested featureauthIssues and PRs related to Authentication / OAuthIssues and PRs related to Authentication / OAuthenhancementRequest for a new feature that's not currently supportedRequest for a new feature that's not currently supportedimproves spec complianceImproves consistency with other SDKs such as TyepScriptImproves consistency with other SDKs such as TyepScript
Description
Metadata
Metadata
Assignees
Labels
ClientIssues & PRs related to the Client componentIssues & PRs related to the Client componentP1Significant bug affecting many users, highly requested featureSignificant bug affecting many users, highly requested featureauthIssues and PRs related to Authentication / OAuthIssues and PRs related to Authentication / OAuthenhancementRequest for a new feature that's not currently supportedRequest for a new feature that's not currently supportedimproves spec complianceImproves consistency with other SDKs such as TyepScriptImproves consistency with other SDKs such as TyepScript
Context
When an access token expires, the client must transparently refresh using the stored
refresh_tokenrather than re-prompting the user. Per OIDC/OAuth,offline_accessscope is requested at authorize time when the AS advertises it; otherwise the client degrades gracefully (no refresh available).Scope
Mcp\Client\Auth\Grant\RefreshTokenGrant.expires_at - now() < skew, refresh before sending request.401with valid refresh token, refresh + retry once.offline_accessscope at authorize time whenscopes_supportedcontains it; otherwise omit.Conformance scenarios unblocked
auth/offline-access-scope,auth/offline-access-not-supported.Dependencies
Blocked by: #319 (need access+refresh tokens from auth code flow), #322 (scope handling).
Acceptance
cc @soyuka