fix(metadata): advertise refresh_token in grant_types_supported

caiopavanelli · cursoragent · caiopavanelli · commit 0ea9d3e1f373 · 2026-06-02T10:33:43.000-03:00
Discovery endpoints listed only authorization_code while /oauth/token
already handled refresh_token. Conformant MCP clients skip silent renewal
when grant_types_supported omits refresh_token (RFC 8414).

Upstream PR candidate for tuannvm/oauth-mcp-proxy.

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/metadata.go b/metadata.go
@@ -47,7 +47,7 @@ func (h *OAuth2Handler) HandleMetadata(w http.ResponseWriter, r *http.Request) {
 		"registration_endpoint":    fmt.Sprintf("%s/oauth/register", h.config.MCPURL),
 		"response_types_supported": []string{"code"},
 		"response_modes_supported": []string{"query"},
-		"grant_types_supported":    []string{"authorization_code"},
+		"grant_types_supported":    []string{"authorization_code", "refresh_token"},
 	}
 
 	// Add provider-specific metadata
@@ -247,7 +247,7 @@ func (h *OAuth2Handler) HandleOIDCDiscovery(w http.ResponseWriter, r *http.Reque
 		"registration_endpoint":                 fmt.Sprintf("%s/oauth/register", h.config.MCPURL),
 		"response_types_supported":              []string{"code"},
 		"response_modes_supported":              []string{"query"},
-		"grant_types_supported":                 []string{"authorization_code"},
+		"grant_types_supported":                 []string{"authorization_code", "refresh_token"},
 		"token_endpoint_auth_methods_supported": []string{"none"},
 		"code_challenge_methods_supported":      []string{"plain", "S256"},
 		"subject_types_supported":               []string{"public"},
@@ -288,7 +288,7 @@ func (h *OAuth2Handler) GetAuthorizationServerMetadata() map[string]interface{}
 			"issuer":                                h.config.Issuer, // OAuth provider issuer
 			"response_types_supported":              []string{"code"},
 			"response_modes_supported":              []string{"query"},
-			"grant_types_supported":                 []string{"authorization_code"},
+			"grant_types_supported":                 []string{"authorization_code", "refresh_token"},
 			"token_endpoint_auth_methods_supported": []string{"none"},
 			"code_challenge_methods_supported":      []string{"plain", "S256"},
 			"scopes_supported":                      h.config.Scopes,
@@ -320,7 +320,7 @@ func (h *OAuth2Handler) GetAuthorizationServerMetadata() map[string]interface{}
 			"jwks_uri":                              fmt.Sprintf("%s/.well-known/jwks.json", h.config.MCPURL),
 			"response_types_supported":              []string{"code"},
 			"response_modes_supported":              []string{"query"},
-			"grant_types_supported":                 []string{"authorization_code"},
+			"grant_types_supported":                 []string{"authorization_code", "refresh_token"},
 			"token_endpoint_auth_methods_supported": []string{"none"},
 			"code_challenge_methods_supported":      []string{"plain", "S256"},
 			"scopes_supported":                      h.config.Scopes,
