Tokens can be cached beyond the lifetime of the (http) transport.

Author: halllo

src/ModelContextProtocol.Core/Authentication/ClientOAuthOptions.cs

@@ -86,4 +86,10 @@ public sealed class ClientOAuthOptions
     /// </para>
     /// </remarks>
     public IDictionary<string, string> AdditionalAuthorizationParameters { get; set; } = new Dictionary<string, string>();
+
+    /// <summary>
+    /// Gets or sets the token cache to use for storing and retrieving tokens beyond the lifetime of the transport.
+    /// If none is provided, tokens will be cached with the transport.
+    /// </summary>
+    public ITokenCache? TokenCache { get; set; }
 }

src/ModelContextProtocol.Core/Authentication/ClientOAuthProvider.cs

@@ -40,7 +40,7 @@ internal sealed partial class ClientOAuthProvider
     private string? _clientId;
     private string? _clientSecret;
 
-    private TokenContainer? _token;
+    private ITokenCache _tokenCache;
     private AuthorizationServerMetadata? _authServerMetadata;
 
     /// <summary>
@@ -82,6 +82,7 @@ public ClientOAuthProvider(
         _dcrClientUri = options.DynamicClientRegistration?.ClientUri;
         _dcrInitialAccessToken = options.DynamicClientRegistration?.InitialAccessToken;
         _dcrResponseDelegate = options.DynamicClientRegistration?.ResponseDelegate;
+        _tokenCache = options.TokenCache ?? new InMemoryTokenCache();
     }
 
     /// <summary>
@@ -135,20 +136,22 @@ public ClientOAuthProvider(
     {
         ThrowIfNotBearerScheme(scheme);
 
+        var token = await _tokenCache.GetTokenAsync(cancellationToken).ConfigureAwait(false);
+
         // Return the token if it's valid
-        if (_token != null && _token.ExpiresAt > DateTimeOffset.UtcNow.AddMinutes(5))
+        if (token != null && token.ExpiresAt > DateTimeOffset.UtcNow.AddMinutes(5))
         {
-            return _token.AccessToken;
+            return token.AccessToken;
         }
 
         // Try to refresh the token if we have a refresh token
-        if (_token?.RefreshToken != null && _authServerMetadata != null)
+        if (token?.RefreshToken != null && _authServerMetadata != null)
         {
-            var newToken = await RefreshTokenAsync(_token.RefreshToken, resourceUri, _authServerMetadata, cancellationToken).ConfigureAwait(false);
+            var newToken = await RefreshTokenAsync(token.RefreshToken, resourceUri, _authServerMetadata, cancellationToken).ConfigureAwait(false);
             if (newToken != null)
             {
-                _token = newToken;
-                return _token.AccessToken;
+                await _tokenCache.StoreTokenAsync(newToken, cancellationToken).ConfigureAwait(false);
+                return newToken.AccessToken;
             }
         }
 
@@ -234,7 +237,7 @@ private async Task PerformOAuthAuthorizationAsync(
             ThrowFailedToHandleUnauthorizedResponse($"The {nameof(AuthorizationRedirectDelegate)} returned a null or empty token.");
         }
 
-        _token = token;
+        await _tokenCache.StoreTokenAsync(token, cancellationToken).ConfigureAwait(false);
         LogOAuthAuthorizationCompleted();
     }
 

src/ModelContextProtocol.Core/Authentication/ITokenCache.cs

@@ -0,0 +1,17 @@
+namespace ModelContextProtocol.Authentication;
+
+/// <summary>
+/// Allows the client to cache access tokens beyond the lifetime of the transport.
+/// </summary>
+public interface ITokenCache
+{
+    /// <summary>
+    /// Cache the token.
+    /// </summary>
+    Task StoreTokenAsync(TokenContainer token, CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Get the cached token.
+    /// </summary>
+    Task<TokenContainer?> GetTokenAsync(CancellationToken cancellationToken);
+}

src/ModelContextProtocol.Core/Authentication/InMemoryTokenCache.cs

@@ -0,0 +1,27 @@
+
+namespace ModelContextProtocol.Authentication;
+
+/// <summary>
+/// Caches the token in-memory within this instance.
+/// </summary>
+internal class InMemoryTokenCache : ITokenCache
+{
+    private TokenContainer? _token;
+
+    /// <summary>
+    /// Cache the token.
+    /// </summary>
+    public Task StoreTokenAsync(TokenContainer token, CancellationToken cancellationToken)
+    {
+        _token = token;
+        return Task.CompletedTask;
+    }
+
+    /// <summary>
+    /// Get the cached token.
+    /// </summary>
+    public Task<TokenContainer?> GetTokenAsync(CancellationToken cancellationToken)
+    {
+        return Task.FromResult(_token);
+    }
+}

src/ModelContextProtocol.Core/Authentication/TokenContainer.cs

@@ -5,7 +5,7 @@ namespace ModelContextProtocol.Authentication;
 /// <summary>
 /// Represents a token response from the OAuth server.
 /// </summary>
-internal sealed class TokenContainer
+public sealed class TokenContainer
 {
     /// <summary>
     /// Gets or sets the access token.
@@ -46,7 +46,7 @@ internal sealed class TokenContainer
     /// <summary>
     /// Gets or sets the timestamp when the token was obtained.
     /// </summary>
-    [JsonIgnore]
+    [JsonPropertyName("obtained_at")]
     public DateTimeOffset ObtainedAt { get; set; }
 
     /// <summary>