Oauth2 Flow conflict with MCPToolSet discovery of tools

[davidkl97]

Hey folks, I have a problem of authorization access to OAuth2 based remote MCP server.
MCPToolSet discover new tools via get_tools which creates a session. As the session is not authorized and exchanged for access token, it fails to retrieve the tools.

Looks like the reactive tool auth request flow in this case doesn't fit as its scoped to specific tool while here its more of discovery of tools which should be invoked in earlier lifecycles.

Would like to hear your opinions and suggestions how to tackle this.

Related work: #2061

[enxilium]

As an aside, since it seems we are working on similar things, do you know if loading the MCP servers normally is computationally heavy? Is it possible to load them beforehand so when the session with the agent initializes, it's as fast as possible?

[davidkl97]

hey @seanzhou1023 , do you have suggestion how to approach this?

[blcvt]

Working on the same thing. My issue so far is that MCPTools should be able to handle the auth discovery endpoints and trigger oauth upon receiving a 401 error but instead just crashes.

[priyayarrabolu-boop]

Hey, I am also going through a similar issue. Did you get it resolved?

[statechny]

My workaround:

In get_tools(), I check whether the Authorization header exists
(i.e., whether the user has already completed OAuth).
If not, I simply return an empty list without calling session.list_tools().

This prevents ADK from hitting the MCP server before the user is authenticated:

class SafeMcpToolset(McpToolset):
    @retry_on_closed_resource
    async def get_tools(self, readonly_context=None):
        headers = (
            self._header_provider(readonly_context)
            if self._header_provider and readonly_context
            else None
        )

        # User is not authenticated → skip MCP discovery
        if not headers or "Authorization" not in headers:
            return []

        try:
            return await super().get_tools(readonly_context)
        except asyncio.CancelledError as e:
            raise