Best way to handle OAuth with the C# MCP client? Slightly different flow #721
Unanswered
RohanChintakindi
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Pre-submission Checklist
Question Category
Your Question
I’m trying to integrate the C# MCP client (with Authorization) into my program, but I’m hitting issues with how token state is managed.
My desired flow looks like this:
MCP client calls the MCP server → gets a 401 → queries PRM/AS metadata.
Backend crafts the auth URL with PKCE and passes it to the frontend.
User logs in in the browser, frontend captures the code, and posts it (with PKCE verifier) back to the backend.
Backend exchanges the code at the token endpoint, stores the access_token/refresh_token, and forwards the access_token to the frontend (Redux/browser storage).
Later I want to refresh tokens in the backend, but the SDK abstracts away the token endpoint and isn’t stateful.
Complication: my app instantiates a new MCP client on every request through Semantic Kernel, so I can’t rely on the SDK holding onto token state. Right now it looks like I’d need my own token broker, but that defeats some of the built-in OAuth support in the SDK.
Questions:
Should I roll my own OAuth/token broker that handles discovery, exchange, and refresh, then inject tokens into the MCP client?
Or should I fork the SDK to expose the token endpoint/state?
Is there a supported pattern to reuse tokens and handle refresh with Semantic Kernel in this setup?
What’s the best option here?
Beta Was this translation helpful? Give feedback.
All reactions