Open
Conversation
When the proxy's OAuth token source fails, the token injection middleware returned 401 Unauthorized. MCP clients interpret 401 as a signal to begin OAuth authentication, but the proxy manages OAuth internally and has no client-facing OAuth metadata. The failed discovery is cached, blocking reconnection even after the token refreshes. Return 503 Service Unavailable with Retry-After instead, which clients treat as a transient connection error. Fixes stacklok#4721 Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Greg Katz <gkatz@indeed.com>
gkatz2
requested review from
ChrisJBurns,
JAORMX,
amirejaz,
blkt,
jhrozek and
yrobla
as code owners
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
jhrozek
previously approved these changes
Apr 10, 2026
Contributor
jhrozek
left a comment
jhrozek
left a comment
There was a problem hiding this comment.
Looks good to me! One nit below.
| // the workload as unauthenticated in its Token() method. | ||
| // Return 503 instead of 401 so MCP clients do not mistake this | ||
| // for a server that requires client-side OAuth authentication. | ||
| w.Header().Set("Retry-After", "10") |
Contributor
There was a problem hiding this comment.
Nit (feel free to take or leave): consider extracting "10" into a named constant with a short comment explaining it matches the initial MonitoredTokenSource backoff interval. Makes it easier to find if the backoff config ever changes.
// retryAfterSecs tells MCP clients how long to wait before retrying.
// Matches the initial MonitoredTokenSource backoff interval.
const retryAfterSecs = "10"Address review nit: extract the retry delay into a package-level constant with a comment linking it to the MonitoredTokenSource backoff interval. Signed-off-by: Greg Katz <gkatz@indeed.com>
github-actions
bot
added
size/S
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4722 +/- ##
==========================================
+ Coverage 68.71% 68.76% +0.05%
==========================================
Files 517 516 -1
Lines 54817 54230 -587
==========================================
- Hits 37666 37290 -376
+ Misses 14252 14093 -159
+ Partials 2899 2847 -52 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Contributor
Author
|
@jhrozek, addressed the nit in the latest push. Ready for another look when someone has a chance. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Retry-After: 10, which clients treat as a transient connection error.CreateTokenInjectionMiddleware(previously untested).Fixes #4721
Type of change
Test plan
task test)task lint-fix)Does this introduce a user-facing change?
MCP clients connecting through the proxy will see 503 instead of 401 when the proxy's OAuth tokens are expired. This is a behavioral change, but 503 is the correct status for this situation and prevents clients from entering a broken OAuth flow.
Generated with Claude Code