Skip to content

MCP OAuth refresh_token not used correctly #5259

@ianschenck

Description

@ianschenck

Describe the bug

Goose in its current state does not (at least reliably?) accept the refresh_token when supplied by the auth server. It does not submit "offline_access" as a scope either, which may be required.

To Reproduce
Steps to reproduce the behavior:

  1. Add an MCP server that follows the spec for auth (OAuth2.1 with DCR)
  2. Wait a few minutes/hours for the access token to expire.
  3. Goose fires off the auth flow again.

Expected behavior
The refresh_token should be persisted and used to update the access token. The old access token should be thrown away.

Screenshots
NA

Please provide following information:

  • OS & Arch: Apple M3/Darwin
  • Interface: CLI
  • Version: 1.11.0
  • Extensions enabled: A test MCP server requiring authentication and following the current MCP auth spec.
  • Provider & Model: Local (Qwen3 running on a 8xMi325X) (probably not relevant)

Additional context

For what it's worth, these two branches fix the issue. However, it's most definitely AI slop as I am not a Rust programmer.

https://github.com/ianschenck/rust-sdk/tree/ian/refresh-token-callback (rust-sdk)
https://github.com/ianschenck/goose/tree/ian/get-refresh-token (goose)

Metadata

Metadata

Assignees

Labels

mcpMCP/Extension relatedp1Priority 1 - High (supports roadmap)

Type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions