Persist DCR client credentials for OAuth session restoration #3418
+232
−5
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Extend OAuth token persistence to also store Dynamic Client Registration (DCR) client credentials. This enables workloads that use DCR (like Datadog and Glean) to restore OAuth sessions across restarts without requiring a new browser-based authentication flow. Changes: - Add CachedClientIDRef and CachedClientSecretRef fields to remote.Config - Add HasCachedClientCredentials() and ClearCachedClientCredentials() helpers - Add TokenTypeOAuthClientID to secrets for secure storage - Expose ClientID and ClientSecret in OAuthFlowResult from discovery - Add ClientCredentialsPersister type for DCR credential persistence - Update handler to restore and persist DCR credentials - Update runner to wire up the client credentials persister For PKCE flows (like Datadog), only the client_id is persisted since no client_secret is issued. Closes stacklokgh-3335 Signed-off-by: Frederic Le Feurmou <flfeurmou@indeed.com>
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3418 +/- ##
==========================================
+ Coverage 64.79% 65.10% +0.30%
==========================================
Files 381 404 +23
Lines 37149 39376 +2227
==========================================
+ Hits 24071 25634 +1563
- Misses 11191 11756 +565
- Partials 1887 1986 +99 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Signed-off-by: Frederic Le Feurmou <flfeurmou@indeed.com>
github-actions
bot
added
size/S
amirejaz
requested changes
Jan 23, 2026
github-actions
bot
added
size/S
Contributor
Author
|
Addressed the review feedback: ✅ ClientID as plain text: Changed ✅ Added DCR metadata fields:
⏸️ Expiration handling logic: The fields are in place, but I haven't implemented the actual expiration check and re-registration flow yet. Let me know if that's needed in this PR or if it can be a follow-up. |
- Store ClientID as plain text instead of secret reference (it's public) - Add CachedClientSecretExpiresAt field for expiration tracking - Add CachedRegistrationAccessTokenRef field for registration updates - Update handler to use plain text ClientID - Simplify runner.go to not store ClientID in secret manager
flfeurmou-indeed
force-pushed
the
fix/persist-dcr-credentials
branch
from
a4098ec to
0127cb4
Compare
github-actions
bot
added
size/S
amirejaz
reviewed
Jan 28, 2026
Contributor
|
@flfeurmou-indeed that makes sense. I’ll create a separate issue to handle client secret expiry. I’ve added a couple of comments; once those are addressed, we can merge this PR and handle client secret expiry in a follow-up PR. |
- Remove TokenTypeOAuthClientID from secrets.go (client_id stored as plain text) - Use lowercase test values for CachedClientID to reflect plain text storage Signed-off-by: Frederic Le Feurmou <flfeurmou@indeed.com>
flfeurmou-indeed
requested review from
ChrisJBurns,
JAORMX,
dmjb,
eleftherias,
jhrozek,
lujunsan and
yrobla
as code owners
github-actions
bot
added
size/S
amirejaz
approved these changes
Jan 30, 2026
Contributor
|
@flfeurmou-indeed Thanks for addressing the feedback 🚀 I’ve approved the PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Extend OAuth token persistence to also store Dynamic Client Registration (DCR) client credentials. This enables workloads that use DCR (like Datadog and Glean) to restore OAuth sessions across restarts without requiring a new browser-based authentication flow.
This PR builds on #3382 which added refresh token persistence, addressing the remaining issue where DCR servers still required re-authentication because the dynamically registered
client_id(andclient_secretwhere applicable) were lost on restart.Problem
Remote MCP servers that use Dynamic Client Registration (e.g., Datadog, Glean) would lose their OAuth sessions after workload restarts because:
client_idwas not persistedclient_id, the token refresh request fails with "Client ID is required" or similar errorsSolution
Store DCR client credentials in the secret manager alongside refresh tokens:
CachedClientIDRef: Reference to the stored client IDCachedClientSecretRef: Reference to the stored client secret (when issued)For PKCE flows (like Datadog), only the
client_idis persisted since noclient_secretis issued.Changes
CachedClientIDRefandCachedClientSecretReffields toremote.ConfigHasCachedClientCredentials()andClearCachedClientCredentials()helper methodsTokenTypeOAuthClientIDto secrets for secure storageClientIDandClientSecretinOAuthFlowResultfrom discoveryClientCredentialsPersistertype for DCR credential persistenceTesting
HasCachedClientCredentialsandClearCachedClientCredentialsRelated
Closes #3335