Implement refresh tokens + caching of user_info #96
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add thread-safe caching to prevent repeated provider API calls - Cache user context with configurable TTL (default 5 minutes) - Implement automatic cleanup of expired cache entries - Add comprehensive logging for cache hits/misses/cleanup - Maintain backward compatibility with existing middleware interface This addresses the performance issue where every MCP tool execution was making HTTP requests to OAuth providers (Keycloak, Google, etc.) to fetch the same user information repeatedly. Performance improvement: ~95% reduction in provider API calls for typical usage patterns within the cache TTL window.
- Move cache HIT messages to DEBUG level (frequent, low importance) - Move cache STORE messages to DEBUG level (internal operation) - Keep cache MISS messages at INFO level (important for monitoring API usage) - Keeps logs cleaner while preserving visibility into provider API calls
- Add cache_ttl field to UserAuthConfig and AuthConfig types - Update translate_auth_config to pass cache_ttl from user config to SDK - Modify middleware initialization to use configured cache_ttl value - Maintain backward compatibility with default TTL when not specified Users can now configure OAuth cache TTL in their auth config: This allows environment-specific tuning of cache behavior while maintaining the default 5-minute TTL for existing configurations.
This prevents cache entries from becoming orphaned when external tokens are refreshed. The MCP token remains stable throughout the session, making it a more reliable cache key.
Adds per-MCP-token locks to prevent multiple concurrent requests from triggering parallel refresh attempts for the same token. Includes optimization to check if another request already completed the refresh before proceeding.
Replaces fragile hasattr() checks with explicit HTTPException type checking for 401 errors. Adds separate handling for non-HTTP exceptions with proper logging for better debugging.
- DEBUG: Normal operations (cache hits/stores, token validation, client lookups) - INFO: Important events (token refresh attempts/success, errors) - Reduces log noise in production while keeping essential information
bgaidioz
force-pushed
the
feature/oauth-refresh-tokens
branch
from
0013dbe to
5d42b9c
Compare
bgaidioz
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Brief description of the changes in this PR.
Type of Change
Testing
uv run pytestuv run ruff check .uv run black --check .uv run mypy .Security Considerations
Breaking Changes
If this is a breaking change, describe what users need to do to migrate:
Additional Notes
Any additional context or screenshots.