Skip to content

chore(mcp): burn down OAuth TODOs + expand headers per-request #3601

Description

@aheritier

Summary

TODO debt cluster in MCP OAuth:

  • pkg/tools/mcp/oauth.go:310 — client reference for elicitation
  • pkg/tools/mcp/oauth.go:1149 / :1154 — no fallback when client ID missing
  • pkg/tools/mcp/mcp.go:115 — headers expanded at creation time, not per request (stale-token risk on long-lived connections)
  • pkg/tools/mcp/mcp.go:561 — documented "temporary fix" retry for async-init servers

Fix

Address the TODOs; expand headers per-request to avoid stale tokens. May require an upstream mcp-go check.

Acceptance

  • TODOs resolved or converted to tracked decisions; per-request header expansion; tests where feasible.

Metadata

Metadata

Assignees

Labels

area/mcpMCP protocol, MCP tool servers, integrationarea/securityAuthentication, authorization, secrets, vulnerabilitiesarea/toolsFor features/issues/fixes related to the usage of built-in and MCP toolskind/choreMaintenance, deps, CI, tooling (maps to chore: commit prefix)

Type

Fields

No fields configured for Task.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions