Surface rejected OAuth token refreshes as auth failures#1422
Merged
Conversation
A refresh-token grant the authorization server rejects with an RFC 6749 error code other than invalid_grant was classified as a StorageError, which the sandbox boundary scrubs to "Internal tool error [id]" - the caller had no signal that the connection needed re-authentication. Any refresh rejection carrying an RFC 6749 error code now maps to CredentialResolutionError, so it reaches the sandbox as an oauth_refresh_failed auth failure with the server's error code and description (invalid_grant still maps to oauth_reauth_required). Code-less failures (transport blips, non-OAuth-shaped responses) stay StorageError so the next invoke retries.
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
executor-cloud | 35d0586 | Jul 16 2026, 05:18 PM |
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
executor-marketing | 35d0586 | Commit Preview URL Branch Preview URL |
Jul 16 2026, 05:17 PM |
Contributor
Cloudflare previewTorn down — the PR is closed. |
@executor-js/cli
@executor-js/config
@executor-js/execution
@executor-js/sdk
@executor-js/codemode-core
@executor-js/runtime-quickjs
@executor-js/plugin-file-secrets
@executor-js/plugin-graphql
@executor-js/plugin-keychain
@executor-js/plugin-mcp
@executor-js/plugin-onepassword
@executor-js/plugin-openapi
executor
commit: |
The scenario now invokes the tool through a real MCP session (the channel the regression actually hid the failure on) instead of the executions API, so it covers dispatch, classification, and MCP result rendering end to end.
RhysSullivan
marked this pull request as ready for review
July 16, 2026 21:26
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When the authorization server rejects a refresh-token grant with an RFC 6749 error code other than
invalid_grant, the failure was classified as a storage error and reached the sandbox as an opaque "Internal tool error". It now surfaces as anoauth_refresh_failedauth failure carrying the server's error code and description, so callers know the connection needs re-authenticating.invalid_grantstill classifies asoauth_reauth_required, and code-less failures (transport blips) keep retrying as before.Covered by a unit repro at the tool-dispatch boundary and a cross-target e2e scenario (
oauth-refresh-rejected) that completes a real authorization-code flow and asserts on the failure the sandbox sees.