21043498106
46%

Ran 15 Jan 2026 07:32PM UTC

Jobs 1

Files 605

Run time 2min

Badge

Embed ▾

Committed 15 Jan 2026 07:21PM UTC coverage: 52.876% (+0.03%) from 52.845%

Build # 21043498106

Build Type

push

github

Committed by

web-flow

Commit Message

mcp: implement refresh token support (#6049)

## Summary

Add MCP refresh token functionality that allows MCP clients to refresh
their access tokens without requiring user re-authentication.

Key implementation details:
- Store refresh token metadata in databroker
(`type.googleapis.com/oauth21.MCPRefreshToken`)
- Implement token rotation on refresh (old token revoked, new one
issued)
- Recreate Pomerium session from upstream IdP refresh token

## Related issues

<!-- For example...
- #159
-->

## User Explanation

MCP clients can now use the `refresh_token` grant type to obtain new
access tokens when the current one expires, without requiring the user
to re-authenticate through the browser flow.

## Checklist

- [ ] reference any related issues
- [x] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review

Run Details

420 of 879 new or added lines in 13 files covered. (47.78%)

154 existing lines in 12 files now uncovered.

30338 of 57376 relevant lines covered (52.88%)

124.07 hits per line

New Missed Lines in Diff

Lines	Coverage	∆	File
6	83.7	19.08%	internal/mcp/storage.go
9	0.0	0.0%	internal/mcp/handler.go
10	72.97	-7.23%	pkg/grpc/session/session.go
10	74.29	-4.5%	proxy/proxy.go
35	0.0	0.0%	internal/mcp/handler_register_client.go
42	0.0	0.0%	internal/mcp/handler_list_routes.go
51	0.0	0.0%	internal/mcp/handler_oauth_callback.go
96	71.05	71.05%	internal/mcp/handler_token.go
100	2.02	2.02%	internal/mcp/handler_authorization.go
100	0.0	0.0%	internal/mcp/handler_connect.go

Uncovered Existing Lines

Lines	Coverage	∆	File
1	0.0	0.0%	internal/mcp/handler_register_client.go
1	71.05	71.05%	internal/mcp/handler_token.go
2	89.19	-5.41%	pkg/fanout/fanout.go
2	90.91	-3.64%	pkg/fanout/receive.go
2	88.18	-0.47%	pkg/storage/postgres/postgres.go
3	91.18	-0.98%	config/config_source.go
3	2.02	2.02%	internal/mcp/handler_authorization.go
3	0.0	0.0%	internal/mcp/handler_oauth_callback.go
3	95.83	-3.13%	pkg/identity/manager/schedulers.go
4	0.0	0.0%	internal/mcp/handler_connect.go
11	72.3	-7.43%	pkg/grpcutil/client_manager.go
119	0.0	0.0%	internal/testutil/mockidp/mockidp.go

Jobs

ID	Job ID	Ran	Files	Coverage
1	21043498106.1	15 Jan 2026 07:32PM UTC	605	52.88	GitHub Action Run

pomerium / pomerium / 21043498106
46%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

New Missed Lines in Diff

Uncovered Existing Lines

Jobs

Source Files on build 21043498106

pomerium / pomerium / 21043498106 46%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

New Missed Lines in Diff

Uncovered Existing Lines

Jobs

Source Files on build 21043498106

pomerium / pomerium / 21043498106
46%

README BADGES
x