Allow the token to be refreshed without triggering a reauthentication

[guschnwg]

Summary

When refreshing the token, it was triggering a reauthentication.
Since clients should use refresh tokens, when available, this feature is a good way to test that our MCP servers don't trigger unnecessary oauth flows.

Gravacao.de.Tela.2025-11-24.as.20.25.58.mov

Closes #665

[olaservo]

Thanks for working on this - token refresh is an important missing feature (#665). Apologies for the delay in reviewing; this has been open for a while and we appreciate your patience.

The implementation works, but I have a suggestion that would make it cleaner:

Consider using the client-side refreshAuthorization function instead of ProxyOAuthServerProvider:

import { refreshAuthorization, discoverAuthorizationServerMetadata } from "@modelcontextprotocol/sdk/client/auth.js";

// Instead of ProxyOAuthServerProvider.exchangeRefreshToken(), use:
const newTokens = await refreshAuthorization(serverUrl, {
  metadata: authServerMeta,
  clientInformation: clientInfo,
  refreshToken: authState.oauthTokens.refresh_token,
});

Why?

• ProxyOAuthServerProvider is in the server module (designed for implementing OAuth servers)
• refreshAuthorization is the client-side equivalent that:
  • Auto-selects the best auth method based on server metadata
  • Preserves the original refresh token if server doesn't return a new one
  • Doesn't pull in server-side dependencies

This isn't blocking - the current approach works. But using the client function would be more aligned with the SDK's intended usage.

Let me know if you'd like help with the refactor, or if there's a reason you chose ProxyOAuthServerProvider that I'm missing.

---

This comment was drafted with assistance from Claude (AI).

[guschnwg]

Thanks for working on this - token refresh is an important missing feature (#665). Apologies for the delay in reviewing; this has been open for a while and we appreciate your patience.

The implementation works, but I have a suggestion that would make it cleaner:

Consider using the client-side refreshAuthorization function instead of ProxyOAuthServerProvider:

import { refreshAuthorization, discoverAuthorizationServerMetadata } from "@modelcontextprotocol/sdk/client/auth.js";

// Instead of ProxyOAuthServerProvider.exchangeRefreshToken(), use:
const newTokens = await refreshAuthorization(serverUrl, {
  metadata: authServerMeta,
  clientInformation: clientInfo,
  refreshToken: authState.oauthTokens.refresh_token,
});

Why?

* `ProxyOAuthServerProvider` is in the server module (designed for implementing OAuth servers)

* `refreshAuthorization` is the client-side equivalent that:
  
  * Auto-selects the best auth method based on server metadata
  * Preserves the original refresh token if server doesn't return a new one
  * Doesn't pull in server-side dependencies

This isn't blocking - the current approach works. But using the client function would be more aligned with the SDK's intended usage.

Let me know if you'd like help with the refactor, or if there's a reason you chose ProxyOAuthServerProvider that I'm missing.

This comment was drafted with assistance from Claude (AI).

Way better with your suggestion. Updated. Sorry the delay