1
46%
main: 46%

Ran 21 Apr 2026 07:01PM UTC

Files 696

Run time 18s

Badge

Embed ▾

Committed 21 Apr 2026 06:44PM UTC coverage: 45.684% (+0.07%) from 45.619%

Job # 24740199847.1

Build Type

push

github

Committed by

web-flow

Commit Message

mcp: refresh expired upstream token before forcing reauth (#6282)

## Summary

`/.pomerium/mcp/authorize` and `/.pomerium/mcp/connect` forced a full
interactive OAuth flow whenever the cached `UpstreamMCPToken` was past
its expiry, even when a valid `refresh_token` was on hand. Now attempt a
silent refresh first; on permanent failure drop the stale token and fall
through as before.

## Related issues


[ENG-3927](https://linear.app/pomerium/issue/ENG-3927/mcp-authorize-handler-doesnt-refresh-expired-upstreammcptoken-triggers)

## User Explanation

MCP clients no longer get bounced through a full upstream OAuth consent
page once a day when their cached access token expires; a fresh token is
fetched silently from the upstream's `token_endpoint`.

## Checklist

- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`bug`)
- [ ] ready for review

Coverage Stats

35553 of 77823 relevant lines covered (45.68%)

114.87 hits per line

pomerium / pomerium / 24740199847 / 1
46%
main: 46%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 24740199847.1

pomerium / pomerium / 24740199847 / 1 46% main: 46%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 24740199847.1

pomerium / pomerium / 24740199847 / 1
46%
main: 46%

README BADGES
x