fix(core): refresh MCP OAuth token usage after re-auth

[sahilkirad]

Summary

Fixes MCP OAuth token reuse after token refresh/re-auth.

Previously, transport auth could continue using a stale access token until CLI restart.
This change makes token retrieval dynamic so refreshed/stored tokens are used without restarting Gemini CLI.

Closes #18895

Details

• Added a dynamic OAuth auth provider path in MCP transport creation.
• For oauth.enabled servers, token is fetched via getValidToken(...) at auth time.
• For stored-token flow (without explicit oauth.enabled), token is also resolved dynamically.
• Added/updated regression coverage in MCP client transport OAuth tests to verify dynamic token behavior.

Related issues

• CLI cannot use fresh token in MCP OAuth #18895

Validation

Ran successfully:

• npm run build --workspace @google/gemini-cli-core
• npm run test --workspace @google/gemini-cli-core -- src/tools/mcp-client.test.ts
  • Result: all tests passed (including OAuth transport cases)

Notes

• No user-facing command/flag changes.
• No docs update required for this fix.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses an issue where MCP OAuth tokens would become stale, requiring a full CLI restart to refresh. By introducing a dynamic token provider, the system now resolves tokens at the time of authentication, ensuring that refreshed or updated credentials are used immediately. This change improves the robustness of the Gemini CLI's authentication flow for MCP servers.

Highlights

• Dynamic OAuth Token Retrieval: Implemented a dynamic token provider for MCP transports, ensuring that OAuth tokens are refreshed or retrieved at request time rather than being cached at transport creation.
• Improved Auth Handling: Updated the transport creation logic to support both explicit OAuth-enabled servers and stored-token flows, allowing for seamless re-authentication without requiring a CLI restart.
• Regression Testing: Added comprehensive test cases to verify that the MCP client correctly utilizes the dynamic auth provider for both new and stored OAuth tokens.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🛑 Action Required: Evaluation Approval

Steering changes have been detected in this PR. To prevent regressions, a maintainer must approve the evaluation run before this PR can be merged.

Maintainers:

1. Go to the Workflow Run Summary.
2. Click the yellow 'Review deployments' button.
3. Select the 'eval-gate' environment and click 'Approve'.

Once approved, the evaluation results will be posted here automatically.

[gemini-code-assist]

Code Review

This pull request implements dynamic OAuth token retrieval for MCP clients by introducing the DynamicStoredOAuthProvider class. This allows tokens to be looked up or refreshed at request time rather than being fixed at transport creation. The createTransport function was updated to utilize this dynamic provider when OAuth is enabled or stored credentials are detected. Feedback was provided regarding the efficiency of the tokens() method in DynamicStoredOAuthProvider, specifically noting that instantiating storage and provider classes within the method leads to redundant disk I/O and should be refactored to use instance-scoped fields.

[sahilkirad]

Hi maintainers, all requested MCP OAuth fixes are pushed and tests were updated accordingly.
Evaluate Steering & Regressions is currently waiting for eval-gate deployment approval.
Could you please approve the eval-gate environment for this PR? Thank you.

[scidomino]

Gemini spotted two issues:

1. Severe Performance Hit on HTTP Transports: The MCP SDK’s StreamableHTTPClientTransport calls authProvider.tokens() for every single RPC request (inside _commonHeaders()).

   • DynamicStoredOAuthProvider.tokens() delegates to oauthProvider.getValidToken().
   • getValidToken() calls tokenStorage.getCredentials(), which reads and parses the JSON file from the disk (or queries the system Keychain if using encrypted storage) synchronously/asynchronously.
   • Impact: This means every single MCP message sent via HTTP will perform a disk read or a slow Keychain lookup.
   • Recommendation: DynamicStoredOAuthProvider should cache the accessToken and expiresAt in memory, and only re-fetch/refresh when the token is expired (e.g., adding a 5-minute buffer).

2. Redundant Storage Reads on Fallback: When oauth.enabled is falsy in the config, the tokens() method manually retrieves the clientId by calling this.tokenStorage.getCredentials(this.serverName). It then passes this clientId to this.oauthProvider.getValidToken(...), which internally calls getCredentials(...) again. This results in two back-to-back disk/keychain reads for a single request.

   • Recommendation: Can be fixed by reusing the retrieved credentials or by caching in memory (as per issue #1).

[sahilkirad]

Okay @scidomino sir will do those changes

[sahilkirad]

Hello @scidomino sir i have fixed the issues:

• Added in-memory token caching in DynamicStoredOAuthProvider with a 5-minute buffer.
• Avoided redundant storage reads in fallback flow.
• Updated/added tests for dynamic authProvider behavior and caching path.

Validated locally:

• npm run test --workspace @google/gemini-cli-core -- src/tools/mcp-client.test.ts
• npm run build --workspace @google/gemini-cli-core