Using lastUpscopingHeader to track last upscoping header to prevent infinite upscoping.

Nayana-Parameswarappa · Nayana-Parameswarappa · commit fde7fc41d2fa · 2025-11-14T10:34:57.000-08:00
diff --git a/src/client/auth.ts b/src/client/auth.ts
@@ -348,7 +348,7 @@ async function authInternal(
 ): Promise<AuthResult> {
     let resourceMetadata: OAuthProtectedResourceMetadata | undefined;
     let authorizationServerUrl: string | URL | undefined;
-    
+
     try {
         resourceMetadata = await discoverOAuthProtectedResourceMetadata(serverUrl, { resourceMetadataUrl }, fetchFn);
         if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) {
diff --git a/src/client/streamableHttp.ts b/src/client/streamableHttp.ts
@@ -133,7 +133,7 @@ export class StreamableHTTPClientTransport implements Transport {
     private _reconnectionOptions: StreamableHTTPReconnectionOptions;
     private _protocolVersion?: string;
     private _hasCompletedAuthFlow = false; // Circuit breaker: detect auth success followed by immediate 401
-    private _hasTriedUpscoping = false; // Circuit breaker: detect upscoping attempt followed by immediate 403
+    private _lastUpscopingHeader?: string; // Track last upscoping header to prevent infinite upscoping.
 
     onclose?: () => void;
     onerror?: (error: Error) => void;
@@ -469,8 +469,10 @@ export class StreamableHTTPClientTransport implements Transport {
                     const error = extractFieldFromWwwAuth(response, 'error');
 
                     if (error === 'insufficient_scope') {
-                        // Prevent infinite recursion when upscoping was already tried.
-                        if (this._hasTriedUpscoping) {
+                        const wwwAuthHeader = response.headers.get('WWW-Authenticate');
+
+                        // Check if we've already tried upscoping with this header to prevent infinite loops.
+                        if (this._lastUpscopingHeader === wwwAuthHeader) {
                             throw new StreamableHTTPError(403, 'Server returned 403 after trying upscoping');
                         }
 
@@ -485,7 +487,7 @@ export class StreamableHTTPClientTransport implements Transport {
                         }
 
                         // Mark that upscoping was tried.
-                        this._hasTriedUpscoping = true;
+                        this._lastUpscopingHeader = wwwAuthHeader ?? undefined;
                         const result = await auth(this._authProvider, {
                             serverUrl: this._url,
                             resourceMetadataUrl: this._resourceMetadataUrl,
@@ -507,7 +509,7 @@ export class StreamableHTTPClientTransport implements Transport {
 
             // Reset auth loop flag on successful response
             this._hasCompletedAuthFlow = false;
-            this._hasTriedUpscoping = false;
+            this._lastUpscopingHeader = undefined;
 
             // If the response is 202 Accepted, there's no body to process
             if (response.status === 202) {
