Skip to content

Accept resource-less OAuth refreshes#18

Merged
AliOsm merged 1 commit into
mainfrom
agent/accept-resource-less-oauth-refresh
Jul 12, 2026
Merged

Accept resource-less OAuth refreshes#18
AliOsm merged 1 commit into
mainfrom
agent/accept-resource-less-oauth-refresh

Conversation

@AliOsm

@AliOsm AliOsm commented Jul 12, 2026

Copy link
Copy Markdown
Owner

Summary

  • allow OAuth refresh-token grants to omit the RFC 8707 resource parameter
  • inherit the canonical resource already bound to the rotated refresh token
  • continue rejecting explicit mismatched, repeated, and array-shaped resource values

Root cause

Codex 0.144.1 uses rmcp 1.8.0. Its authorization-code exchange includes the MCP resource indicator, but its refresh request omits it. PasteHTML required exactly one resource on every token request, so the otherwise valid refresh token was rejected with invalid_target and Codex requested reauthorization.

Claude Code already includes the MCP URL during refresh and was unaffected.

Impact

Codex can refresh PasteHTML MCP credentials after the one-hour access token expires without requiring the user to reauthenticate. Audience binding remains intact because omitted values are accepted only for an unambiguous refresh_token grant, and Doorkeeper copies the canonical resource from the rotated token.

Validation

  • mise exec -- bin/rails test test/integration/oauth_resource_indicator_test.rb test/integration/mcp_agent_journey_test.rb test/integration/oauth_authorization_flow_test.rb
    • 34 tests, 238 assertions, 0 failures
  • full Rails suite
    • 443 tests, 2,068 assertions, 0 failures
  • RuboCop: 128 files, no offenses
  • Brakeman: no warnings
  • Bundler audit: no vulnerabilities
  • seed replant: passed

The aggregate bin/ci command remains red because the existing Yarn dependency tree contains undici 6.26.0, which is affected by newly published advisories. This PR does not modify JavaScript dependencies.

@AliOsm AliOsm marked this pull request as ready for review July 12, 2026 14:22
@AliOsm AliOsm merged commit eaf85e5 into main Jul 12, 2026
3 checks passed
@AliOsm AliOsm deleted the agent/accept-resource-less-oauth-refresh branch July 12, 2026 14:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant