Skip to content

fix: refresh expired MCP OAuth tokens #6209

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

fix: refresh expired MCP OAuth tokens #6209

wants to merge 3 commits into from

Conversation

@JaviSoto
Copy link
Contributor

@JaviSoto JaviSoto commented Nov 4, 2025
edited
Loading

Repro:

  • Set up an HTTP MCP server with OAuth expiring tokens like Datadog
  • Use it for a bit until the token expires
  • Start a new codex session

Expected results:

  • The token gets transparently refreshed and the MCP server continues to work

Actual results:

  • You start getting 401s and need to do codex mcp logout and log back in.

@JaviSoto JaviSoto requested a review from gpeal November 4, 2025 18:26
JaviSoto
JaviSoto commented Nov 4, 2025
View reviewed changes
JaviSoto
JaviSoto commented Nov 4, 2025
View reviewed changes
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Nov 4, 2025
View reviewed changes
Copy link
Contributor

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@JaviSoto
Copy link
Contributor Author

JaviSoto commented Nov 4, 2025

@codex review

@chatgpt-codex-connector
Copy link
Contributor

chatgpt-codex-connector bot commented Nov 4, 2025

Codex Review: Didn't find any major issues. Another round soon, please!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@JaviSoto
fix: refresh expired MCP OAuth tokens
bc90844 
Repro:

- Set up an HTTP MCP server with OAuth expiring tokens like Datadog
- Use it for a bit until the token expires
- Start a new codex session

Expected results:
- The token gets transparently refreshed and the MCP server continues to
work

Actual results:
- You start getting 401s and need to do `codex mcp logout` and log back 
  in.
@JaviSoto
Implement proper fix: also set the token expiration time when it's ex…
24535c5 
…pired

The old load path in codex-rs/rmcp-client/src/oauth.rs only set expires_in when the stored expiry was in the future:

  // codex-rs/rmcp-client/src/oauth.rs:369-374 (original)
  if let Some(expires_at) = entry.expires_at
      && let Some(seconds) = expires_in_from_timestamp(expires_at)
  {
      let duration = Duration::from_secs(seconds);
      token_response.set_expires_in(Some(&duration));
  }

  And expires_in_from_timestamp returned None for expired tokens:

  // codex-rs/rmcp-client/src/oauth.rs:444-453 (original)
  if expires_at <= now_ms {
      None
  } else {
      Some((expires_at - now_ms) / 1000)
  }

  So when the stored token was already expired, set_expires_in was never called, RMCP saw “no expiry,” and it didn’t auto-refresh on handshake.
@JaviSoto
Remove import
214ac14
@JaviSoto JaviSoto force-pushed the dev/javi/mcp-auth-refresh branch from 13da57b to 214ac14 Compare November 4, 2025 19:31
@JaviSoto
Copy link
Contributor Author

JaviSoto commented Nov 4, 2025

Closing in favor of modelcontextprotocol/rust-sdk#509

@JaviSoto JaviSoto closed this Nov 4, 2025
@github-actions github-actions bot locked and limited conversation to collaborators Nov 4, 2025
@etraut-openai etraut-openai added the oai-pr PRs posted by Codex team members label Nov 10, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@gpeal gpeal Awaiting requested review from gpeal

Assignees

No one assigned

Labels

oai-pr PRs posted by Codex team members

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JaviSoto @etraut-openai