Skip to content

fix: handle slow_down in GitHub device-flow token polling#1344

Open
friendlygeorge wants to merge 1 commit into
modelcontextprotocol:mainfrom
friendlygeorge:fix/handle-slow-down-in-device-flow
Open

fix: handle slow_down in GitHub device-flow token polling#1344
friendlygeorge wants to merge 1 commit into
modelcontextprotocol:mainfrom
friendlygeorge:fix/handle-slow-down-in-device-flow

Conversation

@friendlygeorge

@friendlygeorge friendlygeorge commented Jun 9, 2026

Copy link
Copy Markdown

Summary

Treat slow_down as a retriable error in the GitHub device-flow token polling loop, per RFC 8628 §3.5.

Problem

When GitHub's device-flow token endpoint returns slow_down, the publisher exits with a fatal error:

Error: login failed: error polling for token: token request failed: slow_down

The login session is unrecoverable — the user must re-run the command and hope to authorize before any slow_down is emitted again.

Root Cause

In pollForToken, only authorization_pending is treated as retriable. slow_down falls into the catch-all error branch and aborts:

if tokenResp.Error == "authorization_pending" {
    time.Sleep(time.Duration(interval) * time.Second)
    continue
}
if tokenResp.Error != "" {
    return "", fmt.Errorf("token request failed: %s", tokenResp.Error)
}

Fix

Treat slow_down the same as authorization_pending but with the required interval increase (+5 seconds):

if tokenResp.Error == "authorization_pending" || tokenResp.Error == "slow_down" {
    if tokenResp.Error == "slow_down" {
        interval += 5
    }
    time.Sleep(time.Duration(interval) * time.Second)
    continue
}

Testing

The existing test infrastructure doesn't directly test pollForToken (unexported method, external test package). The fix is minimal (4 lines changed) and follows the exact pattern specified in RFC 8628 §3.5. Can verify manually:

  1. Run mcp-publisher login github
  2. Open the device URL but delay authorization past the initial polling window
  3. Observe that instead of failing, the publisher retries with increased intervals

Related

fix: handle slow_down in GitHub device-flow token polling
43ec1ff 
Per RFC 8628 §3.5, slow_down is not a terminal error. The client must
increase its polling interval by 5 seconds and continue. Previously,
slow_down was treated as a fatal error, causing login to fail with
"token request failed: slow_down" and forcing the user to restart.

This commit treats slow_down the same as authorization_pending but
with the required interval increase.
@friendlygeorge

friendlygeorge commented Jun 14, 2026

Copy link
Copy Markdown
Author

Hi! This PR has been open for 5 days. Just checking if there's anything I can do to help move it forward — happy to address any review feedback or make adjustments.

The fix handles the slow_down response per RFC 8628 §3.5, which is the standard retry mechanism for device-flow token polling. Without it, users get an unrecoverable error when GitHub throttles the polling interval.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

mcp-publisher: device-flow login treats GitHub slow_down as fatal instead of backing off

1 participant

@friendlygeorge