Skip to content

Bugfix: Adding refresh token auth flow for expired bearer token for MCP Server #419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Oct 10, 2025
Merged

Bugfix: Adding refresh token auth flow for expired bearer token for MCP Server #419

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
f84367e
Bugfix: Adding refresh token auth flow for expired bearer token. The …
crupakheti Sep 29, 2025
631a510
Adding my GitHub handle to the contributors page
crupakheti Sep 30, 2025
ab04530
Merge branch 'awslabs:main' into main
crupakheti Oct 2, 2025
ef1cc5d
Merge branch 'awslabs:main' into main
crupakheti Oct 6, 2025
fdf9c14
Merge branch 'main' into main
crupakheti Oct 7, 2025
1f69912
Merge branch 'awslabs:main' into main
crupakheti Oct 9, 2025
683de40
Merge branch 'awslabs:main' into main
crupakheti Oct 10, 2025
1420c76
Removing unused import
crupakheti Oct 10, 2025
43f0279
Reformatting utils.py with ruff.
crupakheti Oct 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions 01-tutorials/01-AgentCore-runtime/02-hosting-MCP-server/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
.bedrock_agentcore.yaml
.dockerignore
Dockerfile
invoke_mcp_tools.py
mcp_server.py
my_mcp_client.py
my_mcp_client_remote.py
80 changes: 77 additions & 3 deletions 01-tutorials/01-AgentCore-runtime/02-hosting-MCP-server/hosting_mcp_server.ipynb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -287,7 +287,7 @@
"print(\"Setting up Amazon Cognito user pool...\")\n",
"cognito_config = setup_cognito_user_pool()\n",
"print(\"Cognito setup completed ✓\")\n",
"print(f\"User Pool ID: {cognito_config.get('user_pool_id', 'N/A')}\")\n",
"print(f\"User Pool ID: {cognito_config.get('pool_id', 'N/A')}\")\n",
"print(f\"Client ID: {cognito_config.get('client_id', 'N/A')}\")"
]
},
Expand Down Expand Up @@ -448,12 +448,45 @@
"import boto3\n",
"import json\n",
"import sys\n",
"import base64\n",
"import time\n",
"from boto3.session import Session\n",
"from datetime import timedelta\n",
"import traceback\n",
"\n",
"from mcp import ClientSession\n",
"from mcp.client.streamable_http import streamablehttp_client\n",
"\n",
"def get_refresh_token(client_id, refresh_token, region):\n",
" \"\"\"Refresh access token using refresh token\"\"\"\n",
" cognito_client = boto3.client('cognito-idp', region_name=region)\n",
" auth_response = cognito_client.initiate_auth(\n",
" ClientId=client_id,\n",
" AuthFlow='REFRESH_TOKEN_AUTH',\n",
" AuthParameters={'REFRESH_TOKEN': refresh_token}\n",
" )\n",
" return auth_response['AuthenticationResult']['AccessToken']\n",
"\n",
"def get_valid_token(bearer_token, client_id, refresh_token, region):\n",
" \"\"\"Check token expiry and refresh if needed\"\"\"\n",
" try:\n",
" payload = bearer_token.split('.')[1]\n",
" payload += '=' * (4 - len(payload) % 4)\n",
" decoded = json.loads(base64.b64decode(payload))\n",
" \n",
" current_time = int(time.time())\n",
" if decoded['exp'] - current_time < 300:\n",
" print(\"🔄 Token expiring soon, refreshing...\")\n",
" new_token = get_refresh_token(client_id, refresh_token, region)\n",
" print(\"✓ Token refreshed successfully\")\n",
" return new_token\n",
" \n",
" return bearer_token\n",
" except Exception as e:\n",
" print(\"🔄 Invalid token, refreshing...\", e)\n",
" traceback.print_exc()\n",
" return get_refresh_token(client_id, refresh_token, region)\n",
"\n",
"async def main():\n",
" boto_session = Session()\n",
" region = boto_session.region_name\n",
Expand All @@ -471,7 +504,12 @@
" secret_value = response['SecretString']\n",
" parsed_secret = json.loads(secret_value)\n",
" bearer_token = parsed_secret['bearer_token']\n",
" print(\"✓ Retrieved bearer token from Secrets Manager\")\n",
" refresh_token = parsed_secret['refresh_token']\n",
" client_id = parsed_secret['client_id']\n",
" print(\"✓ Retrieved credentials from Secrets Manager\")\n",
" \n",
" # Validate and refresh token if needed\n",
" bearer_token = get_valid_token(bearer_token, client_id, refresh_token, region)\n",
" \n",
" except Exception as e:\n",
" print(f\"Error retrieving credentials: {e}\")\n",
Expand Down Expand Up @@ -571,12 +609,43 @@
"import boto3\n",
"import json\n",
"import sys\n",
"import base64\n",
"import time\n",
"from boto3.session import Session\n",
"from datetime import timedelta\n",
"\n",
"from mcp import ClientSession\n",
"from mcp.client.streamable_http import streamablehttp_client\n",
"\n",
"def get_refresh_token(client_id, refresh_token, region):\n",
" \"\"\"Refresh access token using refresh token\"\"\"\n",
" cognito_client = boto3.client('cognito-idp', region_name=region)\n",
" auth_response = cognito_client.initiate_auth(\n",
" ClientId=client_id,\n",
" AuthFlow='REFRESH_TOKEN_AUTH',\n",
" AuthParameters={'REFRESH_TOKEN': refresh_token}\n",
" )\n",
" return auth_response['AuthenticationResult']['AccessToken']\n",
"\n",
"def get_valid_token(bearer_token, client_id, refresh_token, region):\n",
" \"\"\"Check token expiry and refresh if needed\"\"\"\n",
" try:\n",
" payload = bearer_token.split('.')[1]\n",
" payload += '=' * (4 - len(payload) % 4)\n",
" decoded = json.loads(base64.b64decode(payload))\n",
" \n",
" current_time = int(time.time())\n",
" if decoded['exp'] - current_time < 300:\n",
" print(\"🔄 Token expiring soon, refreshing...\")\n",
" new_token = get_refresh_token(client_id, refresh_token, region)\n",
" print(\"✓ Token refreshed successfully\")\n",
" return new_token\n",
" \n",
" return bearer_token\n",
" except:\n",
" print(\"🔄 Invalid token, refreshing...\")\n",
" return get_refresh_token(client_id, refresh_token, region)\n",
"\n",
"async def main():\n",
" boto_session = Session()\n",
" region = boto_session.region_name\n",
Expand All @@ -594,7 +663,12 @@
" secret_value = response['SecretString']\n",
" parsed_secret = json.loads(secret_value)\n",
" bearer_token = parsed_secret['bearer_token']\n",
" print(\"✓ Retrieved bearer token from Secrets Manager\")\n",
" refresh_token = parsed_secret['refresh_token']\n",
" client_id = parsed_secret['client_id']\n",
" print(\"✓ Retrieved credentials from Secrets Manager\")\n",
" \n",
" # Validate and refresh token if needed\n",
" bearer_token = get_valid_token(bearer_token, client_id, refresh_token, region)\n",
" \n",
" except Exception as e:\n",
" print(f\"Error retrieving credentials: {e}\")\n",
Expand Down
23 changes: 15 additions & 8 deletions 01-tutorials/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,12 @@
import boto3
import json
import time
import base64

Check failure on line 4 in 01-tutorials/utils.py

View workflow job for this annotation

GitHub Actions / python-lint

Ruff (F401) 

01-tutorials/utils.py:4:8: F401 `base64` imported but unused
from boto3.session import Session

USER_NAME = 'testuser'
PASSWORD = 'MyPassword123!'
TEMP_ADMIN_PASSWORD = 'Temp123!'

def setup_cognito_user_pool():
boto_session = Session()
Expand Down Expand Up @@ -34,38 +38,41 @@
# Create User
cognito_client.admin_create_user(
UserPoolId=pool_id,
Username='testuser',
TemporaryPassword='Temp123!',
Username=USER_NAME,
TemporaryPassword=TEMP_ADMIN_PASSWORD,
MessageAction='SUPPRESS'
)
# Set Permanent Password
cognito_client.admin_set_user_password(
UserPoolId=pool_id,
Username='testuser',
Password='MyPassword123!',
Username=USER_NAME,
Password=PASSWORD,
Permanent=True
)
# Authenticate User and get Access Token
auth_response = cognito_client.initiate_auth(
ClientId=client_id,
AuthFlow='USER_PASSWORD_AUTH',
AuthParameters={
'USERNAME': 'testuser',
'PASSWORD': 'MyPassword123!'
'USERNAME': USER_NAME,
'PASSWORD': PASSWORD
}
)
bearer_token = auth_response['AuthenticationResult']['AccessToken']
refresh_token = auth_response['AuthenticationResult']['RefreshToken']
# Output the required values
print(f"Pool id: {pool_id}")
print(f"Discovery URL: https://cognito-idp.{region}.amazonaws.com/{pool_id}/.well-known/openid-configuration")
print(f"Client ID: {client_id}")
print(f"Bearer Token: {bearer_token}")
print(f"Refresh Token: {refresh_token}")

# Return values if needed for further processing
return {
'pool_id': pool_id,
'client_id': client_id,
'bearer_token': bearer_token,
'refresh_token': refresh_token,
'discovery_url':f"https://cognito-idp.{region}.amazonaws.com/{pool_id}/.well-known/openid-configuration"
}
except Exception as e:
Expand All @@ -83,8 +90,8 @@
ClientId=client_id,
AuthFlow='USER_PASSWORD_AUTH',
AuthParameters={
'USERNAME': 'testuser',
'PASSWORD': 'MyPassword123!'
'USERNAME': USER_NAME,
'PASSWORD': PASSWORD
}
)
bearer_token = auth_response['AuthenticationResult']['AccessToken']
Expand Down
1 change: 1 addition & 0 deletions CONTRIBUTORS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
- aristsakpinis93
- aurbac
- bergjaak
- crupakheti
- danystinson
- dhawalkp
- didhd
Expand Down
Loading