dbt CLI commands fail when warehouse token expires with browser-based authentication #628
Description
Problem
When a user's dbt profile is configured with browser-based warehouse authentication (e.g., Snowflake authenticator: externalbrowser) and their cached token has expired, dbt CLI commands invoked through dbt-mcp fail.
With browser-based auth, the adapter caches tokens in the OS keychain after a successful browser SSO flow. As long as the cached token is valid, dbt commands work normally — including through dbt-mcp. However, when the token expires and the adapter needs to re-authenticate via browser, dbt-mcp cannot complete this flow because:
_run_dbt_command()runs dbt viasubprocess.Popenwithstdin=subprocess.DEVNULL- The default 60-second timeout may be too short for a user to complete browser SSO
- The user gets no feedback that browser authentication is needed
This affects dbt Core and Fusion users with local profiles.yml using browser-based SSO for their data warehouse. The dbt Cloud CLI is not affected since warehouse authentication is handled server-side.
Affected adapters
Any adapter that supports browser-based authentication:
- Snowflake (
authenticator: externalbrowser) - BigQuery (OAuth, when not using application-default credentials)
- Databricks (browser-based SSO)
Proposed solution
Run dbt debug as an eager background task during MCP server lifespan startup (following the same pattern as the LSP eager connection). This triggers the browser auth flow early — before the user invokes any CLI tool — caches the token in the OS keychain, and makes subsequent CLI commands work without re-authentication.
If the auth check times out or fails, CLI tools return a clear, actionable error message instead of a cryptic timeout.