Skip to content

Surface rejected OAuth token refreshes as auth failures#1422

Merged
RhysSullivan merged 2 commits into
mainfrom
oauth-refresh-error-surface
Jul 16, 2026
Merged

Surface rejected OAuth token refreshes as auth failures#1422
RhysSullivan merged 2 commits into
mainfrom
oauth-refresh-error-surface

Conversation

@RhysSullivan

Copy link
Copy Markdown
Collaborator

When the authorization server rejects a refresh-token grant with an RFC 6749 error code other than invalid_grant, the failure was classified as a storage error and reached the sandbox as an opaque "Internal tool error". It now surfaces as an oauth_refresh_failed auth failure carrying the server's error code and description, so callers know the connection needs re-authenticating. invalid_grant still classifies as oauth_reauth_required, and code-less failures (transport blips) keep retrying as before.

Covered by a unit repro at the tool-dispatch boundary and a cross-target e2e scenario (oauth-refresh-rejected) that completes a real authorization-code flow and asserts on the failure the sandbox sees.

A refresh-token grant the authorization server rejects with an RFC 6749
error code other than invalid_grant was classified as a StorageError,
which the sandbox boundary scrubs to "Internal tool error [id]" - the
caller had no signal that the connection needed re-authentication.

Any refresh rejection carrying an RFC 6749 error code now maps to
CredentialResolutionError, so it reaches the sandbox as an
oauth_refresh_failed auth failure with the server's error code and
description (invalid_grant still maps to oauth_reauth_required).
Code-less failures (transport blips, non-OAuth-shaped responses) stay
StorageError so the next invoke retries.
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 16, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs
executor-cloud 35d0586 Jul 16 2026, 05:18 PM

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 16, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
executor-marketing 35d0586 Commit Preview URL

Branch Preview URL
Jul 16 2026, 05:17 PM

@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Cloudflare preview

Torn down — the PR is closed.

@pkg-pr-new

pkg-pr-new Bot commented Jul 16, 2026

Copy link
Copy Markdown

Open in StackBlitz

@executor-js/cli

npm i https://pkg.pr.new/@executor-js/cli@1422

@executor-js/config

npm i https://pkg.pr.new/@executor-js/config@1422

@executor-js/execution

npm i https://pkg.pr.new/@executor-js/execution@1422

@executor-js/sdk

npm i https://pkg.pr.new/@executor-js/sdk@1422

@executor-js/codemode-core

npm i https://pkg.pr.new/@executor-js/codemode-core@1422

@executor-js/runtime-quickjs

npm i https://pkg.pr.new/@executor-js/runtime-quickjs@1422

@executor-js/plugin-file-secrets

npm i https://pkg.pr.new/@executor-js/plugin-file-secrets@1422

@executor-js/plugin-graphql

npm i https://pkg.pr.new/@executor-js/plugin-graphql@1422

@executor-js/plugin-keychain

npm i https://pkg.pr.new/@executor-js/plugin-keychain@1422

@executor-js/plugin-mcp

npm i https://pkg.pr.new/@executor-js/plugin-mcp@1422

@executor-js/plugin-onepassword

npm i https://pkg.pr.new/@executor-js/plugin-onepassword@1422

@executor-js/plugin-openapi

npm i https://pkg.pr.new/@executor-js/plugin-openapi@1422

executor

npm i https://pkg.pr.new/executor@1422

commit: 35d0586

The scenario now invokes the tool through a real MCP session (the
channel the regression actually hid the failure on) instead of the
executions API, so it covers dispatch, classification, and MCP result
rendering end to end.
@RhysSullivan
RhysSullivan marked this pull request as ready for review July 16, 2026 21:26
@RhysSullivan
RhysSullivan merged commit e2712db into main Jul 16, 2026
21 checks passed
@RhysSullivan RhysSullivan mentioned this pull request Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant