[Bug] HTTP/SSE MCP OAuth client doesn't persist refresh_token for offline_access

Resolved 💬 3 comments Opened Jun 14, 2026 by Kvendra Closed Jun 15, 2026

Bug Description
report HTTP/SSE MCP server: client doesn't use refresh_token (offline_access) — forces full browser re-auth at access_token expiry
(~daily)

Environment: Claude Code 2.1.177 (latest on npm), macOS. MCP server type "http",
OAuth 2.1 + PKCE, Cognito-backed Authorization Server with Dynamic Client
Registration (RFC 7591).

Summary: For an HTTP MCP server protected by OAuth 2.1 + PKCE, Claude Code forces a
full browser re-login every time the access_token expires (~24h), instead of
silently using the refresh_token. The Authorization Server correctly advertises
offline_access in scopes_supported and refresh_token in grant_types_supported,
and issues a refresh_token valid 30 days — yet the session is not renewed across
access_token expiry.

Expected: With offline_access advertised and a refresh_token grant supported, the
client should persist the refresh_token and silently mint a new access_token on
expiry, so the MCP session lasts the refresh_token lifetime (30d) without a new
browser login.

Actual: Session ends at access_token expiry (~24h); next use of the MCP server
triggers a full browser OAuth flow. Recurs ~daily (observed 9+ days on 2.1.177).

Evidence:

  • GET /.well-known/oauth-authorization-server -> grant_types_supported:

["authorization_code","refresh_token"]; scopes_supported:
["openid","email","profile","offline_access"]

  • Token endpoint implements grant_type=refresh_token; code exchange returns a

refresh_token; RefreshTokenValidity = [REDACTED] days.

  • AS is a DCR proxy in front of AWS Cognito (refresh tokens issued automatically

with code flow + ALLOW_REFRESH_TOKEN_AUTH; offline_access filtered from the
Cognito client scopes but echoed back in the DCR response per RFC 7591).

Repro:

  1. HTTP MCP server backed by an OAuth 2.1 + PKCE AS advertising offline_access +

refresh_token grant, issuing a 30-day refresh_token (Cognito Hosted UI + DCR).

  1. Connect via /mcp (browser login OK; access_token TTL ~24h).
  2. Wait > access_token TTL (>24h).
  3. Use the MCP server -> forced full browser re-login instead of silent refresh.

Request: Persist and use the refresh_token for HTTP/SSE MCP OAuth sessions (honor
offline_access) so sessions last the refresh_token lifetime without repeated
browser logins. If already supported, please advise on conditions/config for a
Cognito-backed AS + DCR.

Impact: Daily forced re-auth is significant DX friction for anyone distributing an
OAuth-protected HTTP MCP server (affects all our SaaS users, not just us).

Environment Info

  • Platform: darwin
  • Terminal: iTerm.app
  • Version: 2.1.177
  • Feedback ID: 0393fe64-1126-49fd-916a-0e73ef85b027

Errors

[]

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗