inspector icon indicating copy to clipboard operation
inspector copied to clipboard
verified publisher icon modelcontextprotocol

Token refresh flow is not implemented

Open bojanbg opened this issue 5 months ago • 1 comments

Describe the bug Token refresh flow doesn't refresh the token, but simply runs the normal auth flow again from the start.

To Reproduce Steps to reproduce the behavior:

  1. Authenticate using either "Guided OAuth Flow" or "Quick OAuth Flow"
  2. Then request token refresh either using "Guided Token Refresh" or "Quick Refresh".

Expected behavior

  • Not to have a Client Registration step, since token refresh should use the existing client id.
  • Use auth server's token refresh functionality, instead of registration/authentication flow. Especially, grant_type should be refresh_token.

Logs Initiating token refresh clearly shows

grant_type=authorization_code

in the POST request's form data. Instead it should be grant_type=refresh_token

Additional context Related to #608, but the difference is that there it is about not refreshing the token after a timeout, but here it is about the manual "Guided Token Refresh"/"Quick Refresh" flow.

bojanbg avatar Aug 01 '25 07:08 bojanbg

@bojanbg Did the last step in obtaining the token pass. I experience this same behavior where inspector keeps calling the authorization_code after it reported a failure to fetch the token in the last step. Since the server assumed the client accepted the token, the temporary client code was already deleted on the server. Hence any retry of inspector requesting the token by authorization_code fails forever,

symdeb avatar Aug 28 '25 11:08 symdeb