Title: SEP-2207: Refresh token guidance by wdawson · Pull Request #2039 · modelcontextprotocol/python-sdk · GitHub
Open Graph Title: SEP-2207: Refresh token guidance by wdawson · Pull Request #2039 · modelcontextprotocol/python-sdk
X Title: SEP-2207: Refresh token guidance by wdawson · Pull Request #2039 · modelcontextprotocol/python-sdk
Description: Implement OIDC-flavored refresh token guidance (SEP-2207) in the Python SDK client. Motivation and Context MCP clients interacting with OIDC-flavored Authorization Servers often don't receive refresh tokens because they aren't requesting offline_access. This leads to poor UX (frequent re-authentication). SEP-2207 provides guidance for how MCP clients should handle this. The Python SDK's default OAuthClientMetadata already includes refresh_token in grant_types, but the client was not augmenting authorization request scopes with offline_access when the Authorization Server advertises support for it. This change brings the Python SDK in line with the TypeScript SDK's implementation. How Has This Been Tested? 10 unit tests covering all edge cases for offline_access scope augmentation in get_client_metadata_scopes 2 end-to-end auth flow tests verifying the authorization request includes (or excludes) offline_access and prompt=consent based on AS metadata Breaking Changes None. This is additive behavior. Clients that previously did not request offline_access will now request it automatically when the AS advertises it in scopes_supported and the client supports the refresh_token grant. Authorization Servers that don't recognize offline_access will simply ignore it per OAuth 2.1. Types of changes Bug fix (non-breaking change which fixes an issue) New feature (non-breaking change which adds functionality) Breaking change (fix or feature that would cause existing functionality to change) Documentation update Checklist I have read the MCP Documentation My code follows the repository's style guidelines New and existing tests pass locally I have added appropriate error handling I have added or updated documentation as needed Additional context get_client_metadata_scopes() now accepts client_grant_types and appends offline_access to the selected scopes when the AS metadata advertises it in scopes_supported and the client includes refresh_token in its grant_types. The authorization request includes prompt=consent when offline_access is in the scope, per the OIDC Core spec. This matches the TypeScript SDK's behavior. The 403 insufficient_scope handler now also passes AS metadata and client grant types to get_client_metadata_scopes, fixing a pre-existing omission.
Open Graph Description: Implement OIDC-flavored refresh token guidance (SEP-2207) in the Python SDK client. Motivation and Context MCP clients interacting with OIDC-flavored Authorization Servers often don't receive r...
X Description: Implement OIDC-flavored refresh token guidance (SEP-2207) in the Python SDK client. Motivation and Context MCP clients interacting with OIDC-flavored Authorization Servers often don't recei...
Opengraph URL: https://github.com/modelcontextprotocol/python-sdk/pull/2039
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:a69f845b-00b1-8aa5-3b7a-c325be226860 |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | EA24:8CD90:2A5A61F:3C6A41D:6A5902C0 |
| html-safe-nonce | 78e6812121e0fac7f7accecc97b426cf09e5b86f05e6f584fdee5af16f34874e |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJFQTI0OjhDRDkwOjJBNUE2MUY6M0M2QTQxRDo2QTU5MDJDMCIsInZpc2l0b3JfaWQiOiI2MDU0NTkyMDA4NTYzNTI0Mjg4IiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | 55247e96f26421ea2b1ffb33023e5be6d1d67498be45e08c3cad7d65ef9aa0be |
| hovercard-subject-tag | pull_request:3273814234 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/modelcontextprotocol/python-sdk/pull/2039/files |
| twitter:image | https://avatars.githubusercontent.com/u/132961?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/u/132961?s=400&v=4 |
| og:image:alt | Implement OIDC-flavored refresh token guidance (SEP-2207) in the Python SDK client. Motivation and Context MCP clients interacting with OIDC-flavored Authorization Servers often don't receive r... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 5f2a0c7865178af3d91dd9f13b0cdfc3c73a2529c873d2780bb4c01271a57ec6 |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/modelcontextprotocol/python-sdk git https://github.com/modelcontextprotocol/python-sdk.git |
| octolytics-dimension-user_id | 182288589 |
| octolytics-dimension-user_login | modelcontextprotocol |
| octolytics-dimension-repository_id | 862584018 |
| octolytics-dimension-repository_nwo | modelcontextprotocol/python-sdk |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 862584018 |
| octolytics-dimension-repository_network_root_nwo | modelcontextprotocol/python-sdk |
| turbo-body-classes | logged-out env-production page-responsive full-width |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 9842457e8d7e3b2e1635a63af28da35614845510 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width