googleapis · Deeven-Seru · Apr 16, 2026
@@ -308,7 +308,7 @@ func (a AuthService) validateOpaqueToken(ctx context.Context, tokenStr string) e
 
 	if resp.StatusCode != http.StatusOK {
 		logger.WarnContext(ctx, "introspection failed with status: %d", resp.StatusCode)
-		return &MCPAuthError{Code: http.StatusUnauthorized, Message: fmt.Sprintf("introspection failed with status: %d", resp.StatusCode), ScopesRequired: a.ScopesRequired}
+		return &MCPAuthError{Code: http.StatusInternalServerError, Message: fmt.Sprintf("introspection failed with status: %d", resp.StatusCode), ScopesRequired: a.ScopesRequired}
 	}
 
 	body, err := io.ReadAll(io.LimitReader(resp.Body, 1<<20))

@@ -503,6 +503,10 @@ func mcpAuthMiddleware(s *Server) func(http.Handler) http.Handler {
 				}
 			}
 
+			// Add logger to context
+			ctx := util.WithLogger(r.Context(), s.logger)
+			r = r.WithContext(ctx)
+
 			// MCP Auth not enabled
 			if mcpSvc == nil {
 				next.ServeHTTP(w, r)
@@ -525,8 +529,19 @@ func mcpAuthMiddleware(s *Server) func(http.Handler) http.Handler {
 						w.Header().Set("WWW-Authenticate", fmt.Sprintf(`Bearer error="insufficient_scope", scope="%s", resource_metadata="%s", error_description="%s"`, strings.Join(mcpErr.ScopesRequired, " "), s.toolboxUrl+"/.well-known/oauth-protected-resource", mcpErr.Message))
 						http.Error(w, mcpErr.Message, http.StatusForbidden)
 						return
+					default:
+						if mcpErr.Code >= 500 {
+							s.logger.ErrorContext(r.Context(), "internal authentication error", "error", mcpErr.Message)
+							http.Error(w, "internal server error during authentication", mcpErr.Code)
+						} else {
+							http.Error(w, mcpErr.Message, mcpErr.Code)
+						}
+						return
 					}
 				}
+				s.logger.ErrorContext(r.Context(), "unexpected error during authentication", "error", err)
+				http.Error(w, "internal server error during authentication", http.StatusInternalServerError)
+				return
 			}
 
 			next.ServeHTTP(w, r)