Framework does not handle refreshed tokens correctly

[pematth]

Initial Checks

• I confirm that I'm using the latest version of MCP Python SDK
• I confirm that I searched for my issue in https://github.com/modelcontextprotocol/python-sdk/issues before opening this issue

Description

I use python sdk with Keycloak as external authz provider. I allowed my mcp client (in my test scenario it is latest VSC) to get AT and RT (using offline_access scope). I have implemented a TokenVerifier that is doing validation of the MCP keycloak JWT. And then in some MCP tool, i use get_access_token() from the framework to use the JWT. I log both values and i can clearly see that it works fine initially, but after the token was refreshed on client-side, i still get the old accesst token from get_access_token() function. Not sure if you intended to support token refresh in a clean way. But IMHO that is a bug that should be fixed soon.

Example Code

Python & MCP Python SDK

1.12.4

[felixweinberger]

Hi @pematth could you provide a code snippet that demonstrates the specific issue you're getting that we can run to debug?

[bgaidioz]

I ran into a similar situation when I tried to implement token refresh on our MCP server (after adding load_refresh_token and exchange_refresh_token to our OAuthAuthorizationServerProvider). I could see the new token being passed to auth_context_var.reset(token) in auth_context.py, but get_access_token was still returning the old token when the client issued a new call.

I’m mentioning this because it seems to confirm that the framework isn’t propagating the refreshed token consistently, which may be the root of what’s being reported here.

I don’t have a minimal code snippet handy, but I’d be happy to try and put one together when I’m back working on this part of the code.

[felixweinberger]

I ran into a similar situation when I tried to implement token refresh on our MCP server (after adding load_refresh_token and exchange_refresh_token to our OAuthAuthorizationServerProvider). I could see the new token being passed to auth_context_var.reset(token) in auth_context.py, but get_access_token was still returning the old token when the client issued a new call.

I’m mentioning this because it seems to confirm that the framework isn’t propagating the refreshed token consistently, which may be the root of what’s being reported here.

I don’t have a minimal code snippet handy, but I’d be happy to try and put one together when I’m back working on this part of the code.

That'd be great thank you!

[bgaidioz]

I ran into a similar situation when I tried to implement token refresh on our MCP server (after adding load_refresh_token and exchange_refresh_token to our OAuthAuthorizationServerProvider). I could see the new token being passed to auth_context_var.reset(token) in auth_context.py, but get_access_token was still returning the old token when the client issued a new call.
I’m mentioning this because it seems to confirm that the framework isn’t propagating the refreshed token consistently, which may be the root of what’s being reported here.
I don’t have a minimal code snippet handy, but I’d be happy to try and put one together when I’m back working on this part of the code.

That'd be great thank you!

I pushed code to https://github.com/raw-labs/python-sdk-issue-1250: a minimal OAuth implementation that issues 30-second tokens.

When used with Claude Code:

1. At connection time, there are multiple calls to refresh the access token. (I don't remember seeing that earlier but I wasn't paying attention maybe),
2. When invoking the tool, even after refresh, the tool's code still receives an old (possibly expired) token from get_access_token.

[felixweinberger]

I ran into a similar situation when I tried to implement token refresh on our MCP server (after adding load_refresh_token and exchange_refresh_token to our OAuthAuthorizationServerProvider). I could see the new token being passed to auth_context_var.reset(token) in auth_context.py, but get_access_token was still returning the old token when the client issued a new call.
I’m mentioning this because it seems to confirm that the framework isn’t propagating the refreshed token consistently, which may be the root of what’s being reported here.
I don’t have a minimal code snippet handy, but I’d be happy to try and put one together when I’m back working on this part of the code.

That'd be great thank you!

I pushed code to https://github.com/raw-labs/python-sdk-issue-1250: a minimal OAuth implementation that issues 30-second tokens.

When used with Claude Code:

1. At connection time, there are multiple calls to refresh the access token. (I don't remember seeing that earlier but I wasn't paying attention maybe),
2. When invoking the tool, even after refresh, the tool's code still receives an old (possibly expired) token from get_access_token.

Thanks for providing the repro!

[pematth]

Hi, sorry for not responding, i was on holiday. I guess you are fine with the code provided by Benjamin. Otherwise please let me know.

[q815101630]

Hi, do we have any updates on this bug? We also face the same bug where get_access_token() returns the old token. Weirdly, the TokenVerifier will receive the new token, but it won't be accessible during processing the MCP request unless the session is refreshed.

I can confirm the bug still exists in 1.16.0