Problem
MCP OAuth credential operations are unguarded read-modify-write updates to one shared user/provider record.
Concurrent runs can:
- dynamically register multiple clients and overwrite the registration used by an in-flight authorization URL
- overwrite discovery state or token fields from stale reads
- refresh the same rotating refresh token more than once
- exchange callback A with client information written by flow B
- lose auth-session index entries during concurrent writes
Generic OAuth already has a distributed refresh gate; MCP OAuth does not.
Acceptance criteria
Confirmed by the provider-agnostic OAuth implementation audit tracked in #843.
Problem
MCP OAuth credential operations are unguarded read-modify-write updates to one shared user/provider record.
Concurrent runs can:
Generic OAuth already has a distributed refresh gate; MCP OAuth does not.
Acceptance criteria
Confirmed by the provider-agnostic OAuth implementation audit tracked in #843.