dify icon indicating copy to clipboard operation
dify copied to clipboard
Published 1 month ago verified publisher icon langgenius

OAuth2 MCP Tool Calling not Refresh or Re-authenticate

Open tatwong opened this issue 3 months ago • 6 comments

Self Checks

  • [x] I have read the Contributing Guide and Language Policy.
  • [x] This is only for bug report, if you would like to ask a question, please head to Discussions.
  • [x] I have searched for existing issues search for existing issues, including closed ones.
  • [x] I confirm that I am using English to submit this report, otherwise it will be closed.
  • [x] 【中文用户 & Non English User】请使用英语提交,否则会被关闭 :)
  • [x] Please do not modify this template :) and fill in all the required fields.

Dify version

1.9.2

Cloud or Self Hosted

Cloud

Steps to reproduce

I have successfully connected to our MCP Server via OAuth2 authentication, and able to execute tool calling successfully too, however, after some time, like 30~45 minutes, the session has lost and cannot execute any MCP tools on my agent anymore.

✔️ Expected Behavior

I am expecting it would pop up the OAuth2 dialog and let me re-authenticate to the MCP Server when I am on Dify's chat (Explore) environment when chatting to my agent.

❌ Actual Behavior

No response

tatwong avatar Nov 12 '25 03:11 tatwong

This is a known limitation in Dify Cloud: when the OAuth2 token for your MCP Server expires, the backend detects the failure but does not trigger a re-authentication prompt or OAuth2 dialog in the chat (Explore) UI. Instead, tool calls simply fail with no visible response, and there is currently no built-in mechanism to automatically prompt users to re-authenticate after session expiry. This results in a silent failure rather than the expected OAuth2 dialog for re-authentication. The backend does handle token refresh and retries, but if both the access and refresh tokens are expired or invalid, the frontend does not surface a prompt to the user for re-authorization, and there is no configuration option to enable this behavior in the released version of Dify Cloud (source).

As a workaround, you may need to manually re-establish the OAuth2 connection by re-adding or re-authorizing the MCP Server integration. There is no official UI or documented flow for automatic re-authentication in the chat environment at this time.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

dosubot[bot] avatar Nov 12 '25 03:11 dosubot[bot]

@dosu, you mentioned it is a limtiation of Dify Cloud, what about the managed version of Dify from Azure or even On Premise version of Dify? is this supported a re-authentication?

tatwong avatar Nov 12 '25 03:11 tatwong

No, automatic OAuth2 re-authentication prompts after session expiry are not supported in the Azure-managed or On-Premise versions of Dify—this limitation applies to all deployment types, including Dify Cloud. The backend handles token refresh and expiry uniformly, and if both access and refresh tokens are expired or invalid, the frontend does not trigger a re-authentication dialog in the chat UI. There are no deployment-specific configurations or code branches for this feature; the only way to re-authenticate is to manually re-authorize the MCP integration via the UI or credential setup flow (backend logic, frontend logic).

This is a known limitation—if you need improved re-authentication UX, consider monitoring future releases or submitting a feature request.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

dosubot[bot] avatar Nov 12 '25 03:11 dosubot[bot]

@dosu, possible to make this an enhancement request? I am not sure if Dify team is truly aware this limitation, as this is an expected behaviour for all LLM Chat environment that support OAuth2 related tool but unfortunately Dify isnt supporting which is weird.

tatwong avatar Nov 12 '25 04:11 tatwong

There isn’t an existing enhancement request or discussion about supporting OAuth2 re-authentication dialogs after session expiry in Dify. This limitation affects all deployment types, and the current behavior is a silent failure rather than prompting users to re-authenticate.

For open-source projects like Dify, enhancements are typically tracked via GitHub issues labeled as feature requests. If you want to ensure visibility and tracking, it’s best to submit a new issue describing the expected OAuth2 re-authentication flow for LLM chat environments. This conversation also helps surface the limitation to the Dify team, so your feedback is now documented and more likely to be considered in future updates.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

dosubot[bot] avatar Nov 12 '25 04:11 dosubot[bot]

make this an enhancement request +1 @ @

lujin3 avatar Nov 14 '25 03:11 lujin3