fix: restore eager OAuth discovery to avoid slow unauthenticated roundtrip#2078
Open
BabyChrist666 wants to merge 1 commit intomodelcontextprotocol:mainfrom
Open
Conversation
BabyChrist666
force-pushed
the
fix/oauth-performance-regression-1274
branch
from
f20d52e to
2f8377f
Compare
2 tasks
…dtrip (modelcontextprotocol#1274) When the client has no valid tokens, perform OAuth discovery and authorization BEFORE sending the MCP request. This restores the eager behavior from v1.11.0 that was removed in v1.12.0, eliminating the unnecessary unauthenticated roundtrip that servers like Notion handle slowly (~10s latency per operation). Both the eager (pre-request) and reactive (post-401) paths now share a single `_perform_oauth_discovery_and_auth()` helper, keeping the code DRY while preserving RFC 9728 WWW-Authenticate header support on the 401 path. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
BabyChrist666
force-pushed
the
fix/oauth-performance-regression-1274
branch
from
2f8377f to
794feea
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #1274
_perform_oauth_discovery_and_auth()helper shared by both the eager (pre-request) and reactive (post-401) paths, keeping code DRY while preserving RFC 9728WWW-Authenticateheader support on the 401 pathRoot Cause
Between v1.11.0 and v1.12.0, the client OAuth flow changed from eager discovery (discover → authenticate → send MCP request) to lazy discovery (send MCP request → get 401 → discover → authenticate → retry). This causes a slow unauthenticated roundtrip to the MCP server before OAuth even begins, which some servers (e.g. Notion) handle very slowly.
Approach
The fix introduces conditional eager OAuth:
client_info): Uses the reactive 401 path as before, since the server'sWWW-Authenticateheader may carry routing information (e.g.resource_metadataURL) that pure well-known discovery lacksclient_infobut expired/missing tokens): Runs the full discovery/registration/authorization flow eagerly BEFORE sending the MCP request, avoiding the slow unauthenticated roundtripBoth paths share a single
_perform_oauth_discovery_and_auth()helper method.Test plan
test_eager_oauth_flow_avoids_unauthenticated_roundtripvalidates the eager flow end-to-endtest_eager_oauth_falls_back_on_errorvalidates graceful fallback when eager flow fails🤖 Generated with Claude Code