Issue with Refresh Token Rotation on Private MCP Server
Hello π I'm working on a private MCP server behind oauth (Personal credentials) All goes well until Dust use the refresh token to get a new access token. At this step the server rotate the refresh token and return the new one to Dust (with the new access token as well)
025-07-23T08:14:00.338Z POST /token {
host: '(redacted)',
'content-length': '201',
accept: '*/*',
'accept-encoding': 'gzip',
'content-type': 'application/x-www-form-urlencoded',
} {
grant_type: 'refresh_token',
client_id: '0e8c4a5a-1e7c-47db-aaa4-9fd5a19714e6',
client_secret: 'cae00ad98ad7b66565619ea26afec5511f2f7a2f440bad22e08e8e660ff7dc7d',
refresh_token: 'd3d26c29-a260-4572-867b-1068b3848115'
}
ROTATE d3d26c29-a260-4572-867b-1068b3848115 7fb666c8-6c38-44dc-b78f-951f19d7fea0
2025-07-23T08:14:00.504Z res POST /token 200 [Object: null prototype] {
'x-powered-by': 'Express',
'access-control-allow-origin': '*',
'ratelimit-policy': '50;w=900',
'ratelimit-limit': '50',
'ratelimit-remaining': '49',
'ratelimit-reset': '900',
'cache-control': 'no-store',
'content-type': 'application/json; charset=utf-8',
'content-length': '399',
etag: 'W/"18f-fhpNnc5tBTw7BO6N2YKfW8qYVyg"'
} {"access_token":"(redacted)","token_type":"bearer","refresh_token":"7fb666c8-6c38-44dc-b78f-951f19d7fea0","expires_in":600,"scope":""}
Later when Dust use the refresh token, it still use the previous refresh d3d26c29... instead of the new one 7fb666c8....
2025-07-23T08:18:37.977Z POST /token {
host: '(redacted)',
'content-length': '201',
accept: '*/*',
'accept-encoding': 'gzip',
'content-type': 'application/x-www-form-urlencoded',
} {
grant_type: 'refresh_token',
client_id: '0e8c4a5a-1e7c-47db-aaa4-9fd5a19714e6',
client_secret: 'cae00ad98ad7b66565619ea26afec5511f2f7a2f440bad22e08e8e660ff7dc7d',
refresh_token: 'd3d26c29-a260-4572-867b-1068b3848115'
}
Does anyone faced this issue ? May the refresh token rotation isn't supported by Dust ?