Skip to content

Serialize MCP OAuth registration, refresh, and credential updates #836

Description

@dcramer

Problem

MCP OAuth credential operations are unguarded read-modify-write updates to one shared user/provider record.

Concurrent runs can:

  • dynamically register multiple clients and overwrite the registration used by an in-flight authorization URL
  • overwrite discovery state or token fields from stale reads
  • refresh the same rotating refresh token more than once
  • exchange callback A with client information written by flow B
  • lose auth-session index entries during concurrent writes

Generic OAuth already has a distributed refresh gate; MCP OAuth does not.

Acceptance criteria

  • Refresh-token use is serialized per workspace/user/provider/resource/issuer grant.
  • The winning refresh result is re-read and reused by waiting callers.
  • Dynamic client registration is single-flight for issuer + redirect URI.
  • Credential updates are atomic or version-checked; partial fields cannot be lost.
  • Auth-session index mutation is concurrency-safe.
  • Concurrent authorization attempts retain their own client ID and PKCE verifier.
  • Integration tests exercise simultaneous refresh, DCR, and callback completion with rotating refresh tokens.

Confirmed by the provider-agnostic OAuth implementation audit tracked in #843.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions