@mcp-abap-adt/auth-broker 0.2.11 → 0.2.12

package/CHANGELOG.md

@@ -11,6 +11,13 @@ Thank you to all contributors! See [CONTRIBUTORS.md](CONTRIBUTORS.md) for the co
 
 ## [Unreleased]
 
+## [0.2.12] - 2025-12-25
+
+### Changed
+- **Auth flow**: Broker now relies on `ITokenProvider.getTokens()` with no parameters and expects providers to manage refresh/re-auth internally.
+- **Constructor**: `tokenProvider` is required and `allowBrowserAuth` is supported for non-interactive flows.
+- **Docs**: Updated usage/architecture/export docs to reflect provider injection, new flow, and CLI usage.
+
 ## [0.2.11] - 2025-12-23
 
 ### Changed

package/README.md

@@ -7,7 +7,7 @@ JWT authentication broker for MCP ABAP ADT server. Manages authentication tokens
 - 🔐 **Destination-based Authentication**: Load tokens based on `x-mcp-destination` header
 - 📁 **Environment File Support**: Automatically loads tokens from `{destination}.env` files
 - 🔄 **Automatic Token Refresh**: Refreshes expired tokens using service keys from `{destination}.json` files
-- ✅ **Token Validation**: Validates tokens by testing connection to SAP system
+- ✅ **Token Validation**: Validates tokens via provider (if `validateToken` is implemented)
 - 💾 **Token Caching**: In-memory caching for improved performance
 - 🔧 **Configurable Base Path**: Customize where `.env` and `.json` files are stored
 
@@ -19,19 +19,26 @@ npm install @mcp-abap-adt/auth-broker
 
 ## Usage
 
-### Basic Usage (Session Only)
+### Basic Usage (Provider Required)
 
-If your sessionStore contains valid UAA credentials, you only need to provide `sessionStore`:
+AuthBroker requires a token provider configured for the destination:
 
 ```typescript
 import { AuthBroker, AbapSessionStore } from '@mcp-abap-adt/auth-broker';
+import { AuthorizationCodeProvider } from '@mcp-abap-adt/auth-providers';
+
+const tokenProvider = new AuthorizationCodeProvider({
+  uaaUrl: 'https://...authentication...hana.ondemand.com',
+  clientId: '...',
+  clientSecret: '...',
+  browser: 'system',
+});
 
-// Session-only mode - works if session has UAA credentials
 const broker = new AuthBroker({
   sessionStore: new AbapSessionStore('/path/to/destinations'),
+  tokenProvider,
 });
 
-// Get token - uses direct UAA HTTP requests automatically
 const token = await broker.getToken('TRIAL');
 ```
 
@@ -40,37 +47,52 @@ const token = await broker.getToken('TRIAL');
 For maximum flexibility, provide all three dependencies:
 
 ```typescript
-import { 
-  AuthBroker, 
-  AbapServiceKeyStore, 
-  AbapSessionStore, 
-  BtpTokenProvider
+import {
+  AuthBroker,
+  AbapServiceKeyStore,
+  AbapSessionStore,
 } from '@mcp-abap-adt/auth-broker';
+import { AuthorizationCodeProvider } from '@mcp-abap-adt/auth-providers';
 
 const broker = new AuthBroker({
   sessionStore: new AbapSessionStore('/path/to/destinations'),
   serviceKeyStore: new AbapServiceKeyStore('/path/to/destinations'), // optional
-  tokenProvider: new BtpTokenProvider(), // optional
+  tokenProvider: new AuthorizationCodeProvider({
+    uaaUrl: 'https://...authentication...hana.ondemand.com',
+    clientId: '...',
+    clientSecret: '...',
+    browser: 'system',
+  }),
 }, 'chrome', logger);
 
 // Disable browser authentication for headless/stdio environments (e.g., MCP with Cline)
 const brokerNoBrowser = new AuthBroker({
   sessionStore: new AbapSessionStore('/path/to/destinations'),
   serviceKeyStore: new AbapServiceKeyStore('/path/to/destinations'),
-  tokenProvider: new BtpTokenProvider(),
+  tokenProvider: new AuthorizationCodeProvider({
+    uaaUrl: 'https://...authentication...hana.ondemand.com',
+    clientId: '...',
+    clientSecret: '...',
+    browser: 'none',
+  }),
   allowBrowserAuth: false, // Throws BROWSER_AUTH_REQUIRED if browser auth needed
 }, 'chrome', logger);
 ```
 
 ### Session + Service Key (For Initialization)
 
-If you need to initialize sessions from service keys:
+If you need to initialize sessions from service keys, create the provider from service key auth config:
 
 ```typescript
 const broker = new AuthBroker({
   sessionStore: new AbapSessionStore('/path/to/destinations'),
   serviceKeyStore: new AbapServiceKeyStore('/path/to/destinations'),
-  // tokenProvider optional - direct UAA requests will be used from service key
+  tokenProvider: new AuthorizationCodeProvider({
+    uaaUrl: 'https://...authentication...hana.ondemand.com',
+    clientId: '...',
+    clientSecret: '...',
+    browser: 'system',
+  }),
 });
 ```
 
@@ -94,16 +116,19 @@ To avoid port conflicts with browser authentication:
 const broker = new AuthBroker({
   sessionStore: new AbapSessionStore('/path/to/destinations'),
   serviceKeyStore: new AbapServiceKeyStore('/path/to/destinations'),
-  tokenProvider: new BtpTokenProvider(4001), // Custom port for OAuth callback server
+  tokenProvider: new AuthorizationCodeProvider({
+    uaaUrl: 'https://...authentication...hana.ondemand.com',
+    clientId: '...',
+    clientSecret: '...',
+    browser: 'system',
+    redirectPort: 4001,
+  }),
 }, 'chrome');
 ```
 
-**Note**: The `BtpTokenProvider` automatically finds an available port if the requested port is in use. This prevents `EADDRINUSE` errors when multiple stdio servers run simultaneously. The server properly closes all connections and frees the port after authentication completes, ensuring no lingering port occupation.
-
 ### Getting Tokens
 
 ```typescript
-// Get token - automatically uses direct UAA requests if UAA credentials available
 const token = await broker.getToken('TRIAL');
 
 // Force refresh token
@@ -282,7 +307,7 @@ This package supports two types of BTP authentication:
 **Interface-Only Communication**: This package follows a fundamental development principle: **all interactions with external dependencies happen ONLY through interfaces**. The code knows **NOTHING beyond what is defined in the interfaces**.
 
 This means:
-- Does not know about concrete implementation classes (e.g., `AbapSessionStore`, `BtpTokenProvider`)
+- Does not know about concrete implementation classes (e.g., `AbapSessionStore`, `AuthorizationCodeProvider`)
 - Does not know about internal data structures or methods not defined in interfaces
 - Does not make assumptions about implementation behavior beyond interface contracts
 - Does not access properties or methods not explicitly defined in interfaces
@@ -302,13 +327,11 @@ The `@mcp-abap-adt/auth-broker` package defines **interfaces** and provides **or
 - **Orchestrates authentication flows**: Coordinates token retrieval, validation, and refresh using provided stores and providers
 - **Manages token lifecycle**: Handles token caching, validation, and automatic refresh
 - **Works with interfaces only**: Uses `IServiceKeyStore`, `ISessionStore`, and `ITokenProvider` interfaces without knowing concrete implementations
-- **Delegates to providers**: Calls `tokenProvider.getConnectionConfig()` to obtain tokens and connection configuration
-- **Delegates to stores**: Uses `sessionStore.setConnectionConfig()` to save tokens and connection configuration
+- **Delegates to providers**: Calls `tokenProvider.getTokens()` to obtain tokens
+- **Delegates to stores**: Saves tokens and connection configuration to `sessionStore`
 
 #### What AuthBroker Does NOT Do
 
-- **Does NOT know about `serviceUrl`**: `AuthBroker` does not know whether a specific `ISessionStore` implementation requires `serviceUrl` or not. It simply passes the `IConnectionConfig` returned by `tokenProvider` to `sessionStore.setConnectionConfig()`
-- **Does NOT merge configurations**: `AuthBroker` does not merge `serviceUrl` from service keys with connection config from token providers. This is the responsibility of the consumer or the session store implementation
 - **Does NOT implement storage**: File I/O, parsing, and storage logic are handled by concrete store implementations from `@mcp-abap-adt/auth-stores`
 - **Does NOT implement token acquisition**: OAuth2 flows, refresh token logic, and client credentials are handled by concrete provider implementations from `@mcp-abap-adt/auth-providers`
 
@@ -317,9 +340,9 @@ The `@mcp-abap-adt/auth-broker` package defines **interfaces** and provides **or
 The **consumer** (application using `AuthBroker`) is responsible for:
 
 1. **Selecting appropriate implementations**: Choose the correct `IServiceKeyStore`, `ISessionStore`, and `ITokenProvider` implementations based on the use case:
-   - **ABAP systems**: Use `AbapServiceKeyStore`, `AbapSessionStore` (or `SafeAbapSessionStore`), and `BtpTokenProvider`
-   - **BTP systems**: Use `AbapServiceKeyStore`, `BtpSessionStore` (or `SafeBtpSessionStore`), and `BtpTokenProvider`
-   - **XSUAA services**: Use `XsuaaServiceKeyStore`, `XsuaaSessionStore` (or `SafeXsuaaSessionStore`), and `XsuaaTokenProvider`
+   - **ABAP systems**: Use `AbapServiceKeyStore`, `AbapSessionStore` (or `SafeAbapSessionStore`), and `AuthorizationCodeProvider`
+   - **BTP systems**: Use `AbapServiceKeyStore`, `BtpSessionStore` (or `SafeBtpSessionStore`), and `AuthorizationCodeProvider`
+   - **XSUAA services**: Use `XsuaaServiceKeyStore`, `XsuaaSessionStore` (or `SafeXsuaaSessionStore`), and `ClientCredentialsProvider`
 
 2. **Ensuring complete configuration**: If a session store requires `serviceUrl` (e.g., `AbapSessionStore` requires `sapUrl`), the consumer must ensure that:
    - The session is created with `serviceUrl` before calling `AuthBroker.getToken()`, OR
@@ -346,8 +369,7 @@ Concrete `ISessionStore` implementations are responsible for:
 Concrete `ITokenProvider` implementations are responsible for:
 
 - **Obtaining tokens**: Using OAuth2 flows, refresh tokens, or client credentials to obtain JWT tokens
-- **Returning connection config**: Returning `IConnectionConfig` with `authorizationToken` and optionally `serviceUrl` (if known)
-- **Not returning `serviceUrl` if unknown**: Providers like `BtpTokenProvider` may not return `serviceUrl` because they only handle token acquisition, not connection configuration
+- **Managing token lifecycle**: Caching, validating, refreshing, and re-authenticating as needed
 
 ### Design Principles
 
@@ -361,22 +383,6 @@ Concrete `ITokenProvider` implementations are responsible for:
 4. **Interface Segregation**: Interfaces are focused and minimal, containing only what's necessary for their specific purpose
 5. **Open/Closed Principle**: New store and provider implementations can be added without modifying `AuthBroker`
 
-### Example: Why AuthBroker Doesn't Handle `serviceUrl`
-
-Consider this scenario:
-- `BtpTokenProvider.getConnectionConfig()` returns `IConnectionConfig` with `authorizationToken` but **without** `serviceUrl` (because it only handles token acquisition)
-- `AbapSessionStore.setConnectionConfig()` requires `sapUrl` (which maps to `serviceUrl`)
-
-If `AuthBroker` tried to merge `serviceUrl` from `serviceKeyStore`, it would:
-1. Violate the DIP by knowing about specific store requirements
-2. Break the abstraction - `AuthBroker` shouldn't know that `AbapSessionStore` needs `serviceUrl`
-3. Create coupling between `AuthBroker` and concrete implementations
-
-Instead, the consumer or `AbapSessionStore` itself should handle this:
-- **Option 1**: Consumer retrieves `serviceUrl` from `serviceKeyStore` and ensures it's in the session before calling `AuthBroker.getToken()`
-- **Option 2**: `AbapSessionStore.setConnectionConfig()` retrieves `serviceUrl` from `serviceKeyStore` internally if not provided
-- **Option 3**: `AbapSessionStore.setConnectionConfig()` uses existing `sapUrl` from current session if available
-
 ## API
 
 ### `AuthBroker`
@@ -388,7 +394,8 @@ new AuthBroker(
   config: {
     sessionStore: ISessionStore;        // required
     serviceKeyStore?: IServiceKeyStore; // optional
-    tokenProvider?: ITokenProvider;      // optional
+    tokenProvider: ITokenProvider;      // required
+    allowBrowserAuth?: boolean;         // optional
   }, 
   browser?: string, 
   logger?: ILogger
@@ -399,7 +406,8 @@ new AuthBroker(
 - `config` - Configuration object:
   - `sessionStore` - **Required** - Store for session data. Must contain initial session with `serviceUrl`
   - `serviceKeyStore` - **Optional** - Store for service keys. Only needed for initializing sessions from service keys
-  - `tokenProvider` - **Optional** - Token provider for token acquisition. Only needed for browser authentication or when direct UAA requests fail
+  - `tokenProvider` - **Required** - Token provider for token acquisition and refresh
+  - `allowBrowserAuth` - **Optional** - When `false`, throws `BROWSER_AUTH_REQUIRED` instead of launching browser auth
 - `browser` - Optional browser name for authentication (`chrome`, `edge`, `firefox`, `system`, `headless`, `none`). Default: `system`
   - Use `'headless'` for SSH/remote sessions - logs URL and waits for manual callback
   - Use `'none'` for automated tests - logs URL and rejects immediately
@@ -411,16 +419,15 @@ new AuthBroker(
 - **`sessionStore` (required)**: Always required. Must contain initial session with `serviceUrl`
 - **`serviceKeyStore` (optional)**: 
   - Required if you need to initialize sessions from service keys (Step 0)
-  - Not needed if session already contains UAA credentials
-- **`tokenProvider` (optional)**:
-  - Required for browser authentication when initializing from service key (Step 0)
-  - Optional but recommended as fallback when direct UAA requests fail
-  - Not needed if session contains valid UAA credentials (direct UAA HTTP requests will be used)
+  - Not needed if session already contains authorization config and tokens
+- **`tokenProvider` (required)**:
+  - Used for all token acquisition and refresh flows
+  - Must be configured with the destination's auth parameters (e.g., UAA credentials)
 
 **Available Implementations:**
-- **ABAP**: `AbapServiceKeyStore(directory, defaultServiceUrl?, logger?)`, `AbapSessionStore(directory, defaultServiceUrl?, logger?)`, `SafeAbapSessionStore(defaultServiceUrl?, logger?)`, `BtpTokenProvider(browserAuthPort?)`
-- **XSUAA** (reduced scope): `XsuaaServiceKeyStore(directory, logger?)`, `XsuaaSessionStore(directory, defaultServiceUrl, logger?)`, `SafeXsuaaSessionStore(defaultServiceUrl, logger?)`, `XsuaaTokenProvider()`
-- **BTP** (full scope for ABAP): `AbapServiceKeyStore(directory, defaultServiceUrl?, logger?)`, `BtpSessionStore(directory, defaultServiceUrl, logger?)`, `SafeBtpSessionStore(defaultServiceUrl, logger?)`, `BtpTokenProvider(browserAuthPort?)`
+- **ABAP**: `AbapServiceKeyStore(directory, defaultServiceUrl?, logger?)`, `AbapSessionStore(directory, defaultServiceUrl?, logger?)`, `SafeAbapSessionStore(defaultServiceUrl?, logger?)`, `AuthorizationCodeProvider(...)`
+- **XSUAA** (reduced scope): `XsuaaServiceKeyStore(directory, logger?)`, `XsuaaSessionStore(directory, defaultServiceUrl, logger?)`, `SafeXsuaaSessionStore(defaultServiceUrl, logger?)`, `ClientCredentialsProvider(...)`
+- **BTP** (full scope for ABAP): `AbapServiceKeyStore(directory, defaultServiceUrl?, logger?)`, `BtpSessionStore(directory, defaultServiceUrl, logger?)`, `SafeBtpSessionStore(defaultServiceUrl, logger?)`, `AuthorizationCodeProvider(...)`
 
 #### Methods
 
@@ -429,31 +436,34 @@ new AuthBroker(
 Gets authentication token for destination. Implements a three-step flow:
 
 **Step 0: Initialize Session with Token (if needed)**
-- Checks if session has `authorizationToken` and UAA credentials
-- If both are empty and `serviceKeyStore` is available:
-  - Tries direct UAA request from service key (if UAA credentials available)
-  - If failed and `tokenProvider` available → uses provider for authentication
-- If session has token OR UAA credentials → proceeds to Step 1
-
-**Step 1: Refresh Token Flow**
-- Checks if refresh token exists in session
-- If refresh token exists:
-  - Tries direct UAA refresh (if UAA credentials in session)
-  - If failed and `tokenProvider` available → uses provider
-  - If successful → returns new token
+- Checks if session has `authorizationToken` and authorization config
+- If both are missing and `serviceKeyStore` is available:
+  - Loads authorization config from service key
+  - Uses `tokenProvider.getTokens()` to obtain tokens
+  - Persists tokens to session
+- Otherwise → proceeds to Step 1
+
+**Step 1: Token Validation**
+- If token exists in session and provider supports `validateToken`, validate it
+- If valid → returns token
+- If provider does not support validation → returns token as-is
 - Otherwise → proceeds to Step 2
 
-**Step 2: UAA Credentials Flow**
-- Checks if UAA credentials exist in session or service key
-- Tries direct UAA client_credentials request (if UAA credentials available)
-- If failed and `tokenProvider` available → uses provider
-- If successful → returns new token
+**Step 2: Token Refresh / Re-Auth**
+- If session has authorization config:
+  - Uses `tokenProvider.getTokens()` to refresh or re-authenticate
+  - Persists tokens to session
+  - Returns new token
+- If that fails (or no session auth config) and `serviceKeyStore` is available:
+  - Loads authorization config from service key
+  - Uses `tokenProvider.getTokens()` to obtain tokens
+  - Persists tokens to session
 - If all failed → throws error
 
 **Important Notes:**
-- If `sessionStore` contains valid UAA credentials, neither `serviceKeyStore` nor `tokenProvider` are required. Direct UAA HTTP requests will be used automatically.
-- `tokenProvider` is only needed for browser authentication or when direct UAA requests fail.
-- Token validation is performed only when checking existing session. Tokens obtained through refresh/UAA/browser authentication are not validated before being saved.
+- All authentication is handled by the injected provider (authorization_code or client_credentials).
+- `tokenProvider` is required for all token acquisition and refresh flows.
+- Token validation is performed only when checking existing session. Tokens obtained through refresh are not validated before being saved.
 - **Store errors are handled gracefully**: If service key files are missing or malformed, the broker logs the error and continues with fallback mechanisms (session store data or provider-based auth)
 
 ##### Error Handling
@@ -512,13 +522,7 @@ Example error scenarios handled:
 
 ##### `refreshToken(destination: string): Promise<string>`
 
-Force refresh token for destination. Uses refresh token from session if available, otherwise uses UAA credentials from session or service key.
-
-**Flow:**
-- If refresh token exists and UAA credentials available → tries direct UAA refresh
-- If direct UAA fails and `tokenProvider` available → uses provider
-- If no refresh token but UAA credentials available → tries direct UAA client_credentials
-- If all failed → throws error
+Force refresh token for destination. Calls `getToken()` to run the full refresh flow and persist updated tokens.
 
 ##### `clearCache(destination: string): void`
 
@@ -530,14 +534,14 @@ Clear all cached tokens.
 
 ### Token Providers
 
-The package uses `ITokenProvider` interface for token acquisition. Two implementations are available:
+The package uses the `ITokenProvider` interface for token acquisition. Provider implementations live in `@mcp-abap-adt/auth-providers`:
 
-- **`XsuaaTokenProvider`** - For XSUAA authentication (reduced scope)
+- **`ClientCredentialsProvider`** - For XSUAA authentication (reduced scope)
   - Uses client_credentials grant type
   - No browser interaction required
   - No refresh token provided
 
-- **`BtpTokenProvider`** - For BTP/ABAP authentication (full scope)
+- **`AuthorizationCodeProvider`** - For BTP/ABAP authentication (full scope)
   - Constructor accepts optional `browserAuthPort?: number` parameter (default: 3001)
   - Automatically finds an available port if the requested port is in use (prevents `EADDRINUSE` errors)
   - Server properly closes all connections and frees the port after authentication completes
@@ -553,55 +557,59 @@ import {
   AuthBroker,
   XsuaaServiceKeyStore,
   XsuaaSessionStore,
-  XsuaaTokenProvider,
-  BtpTokenProvider,
   AbapServiceKeyStore,
   BtpSessionStore
 } from '@mcp-abap-adt/auth-broker';
+import {
+  ClientCredentialsProvider,
+  AuthorizationCodeProvider,
+} from '@mcp-abap-adt/auth-providers';
 
-// XSUAA authentication - session only (direct UAA requests)
+// XSUAA authentication
 const xsuaaBroker = new AuthBroker({
   sessionStore: new XsuaaSessionStore('/path/to/sessions', 'https://mcp.example.com'),
-  // serviceKeyStore and tokenProvider not needed if session has UAA credentials
+  tokenProvider: new ClientCredentialsProvider({
+    uaaUrl: 'https://auth.example.com',
+    clientId: '...',
+    clientSecret: '...',
+  }),
 });
 
 // XSUAA authentication - with service key initialization
 const xsuaaBrokerWithServiceKey = new AuthBroker({
   sessionStore: new XsuaaSessionStore('/path/to/sessions', 'https://mcp.example.com'),
   serviceKeyStore: new XsuaaServiceKeyStore('/path/to/keys'),
-  // tokenProvider optional - direct UAA requests will be used
+  tokenProvider: new ClientCredentialsProvider({
+    uaaUrl: 'https://auth.example.com',
+    clientId: '...',
+    clientSecret: '...',
+  }),
 }, 'none');
 
-// BTP authentication - session only (direct UAA requests)
+// BTP authentication
 const btpBroker = new AuthBroker({
   sessionStore: new BtpSessionStore('/path/to/sessions', 'https://abap.example.com'),
-  // serviceKeyStore and tokenProvider not needed if session has UAA credentials
+  tokenProvider: new AuthorizationCodeProvider({
+    uaaUrl: 'https://auth.example.com',
+    clientId: '...',
+    clientSecret: '...',
+    browser: 'system',
+  }),
 });
 
 // BTP authentication - with service key and provider (for browser auth)
 const btpBrokerFull = new AuthBroker({
   sessionStore: new BtpSessionStore('/path/to/sessions', 'https://abap.example.com'),
   serviceKeyStore: new AbapServiceKeyStore('/path/to/keys'),
-  tokenProvider: new BtpTokenProvider(), // needed for browser authentication
+  tokenProvider: new AuthorizationCodeProvider({
+    uaaUrl: 'https://auth.example.com',
+    clientId: '...',
+    clientSecret: '...',
+    browser: 'system',
+  }),
 });
 ```
 
-### Direct UAA HTTP Requests
-
-When UAA credentials are available in session, `AuthBroker` automatically uses direct HTTP requests to UAA without requiring `tokenProvider`:
-
-- **Refresh Token Grant**: Direct HTTP POST to `{uaaUrl}/oauth/token` with `grant_type=refresh_token`
-- **Client Credentials Grant**: Direct HTTP POST to `{uaaUrl}/oauth/token` with `grant_type=client_credentials`
-
-**Benefits:**
-- No dependency on `tokenProvider` when session has UAA credentials
-- Faster token refresh (no provider overhead)
-- Simpler configuration (only `sessionStore` needed)
-
-**Fallback to Provider:**
-- If direct UAA request fails and `tokenProvider` is available, broker automatically falls back to provider
-- Provider is useful for browser authentication or alternative authentication flows
-
 ### CLI: mcp-auth
 
 Generate or refresh `.env`/JSON output using AuthBroker + stores:

package/bin/generate-env-from-service-key.ts

@@ -16,8 +16,16 @@
 import * as path from 'path';
 import * as fs from 'fs';
 import { AuthBroker } from '../src/AuthBroker';
-import { AbapServiceKeyStore, AbapSessionStore, XsuaaServiceKeyStore, XsuaaSessionStore } from '@mcp-abap-adt/auth-stores';
-import { BtpTokenProvider, XsuaaTokenProvider } from '@mcp-abap-adt/auth-providers';
+import {
+  AbapServiceKeyStore,
+  AbapSessionStore,
+  XsuaaServiceKeyStore,
+  XsuaaSessionStore,
+} from '@mcp-abap-adt/auth-stores';
+import {
+  AuthorizationCodeProvider,
+  ClientCredentialsProvider,
+} from '@mcp-abap-adt/auth-providers';
 
 async function main() {
   const args = process.argv.slice(2);
@@ -65,10 +73,24 @@ async function main() {
       ? new XsuaaSessionStore(sessionDir)
       : new AbapSessionStore(sessionDir);
 
+    const authConfig = await serviceKeyStore.getAuthorizationConfig(destination);
+    if (!authConfig) {
+      throw new Error(`Missing authorization config for ${destination}`);
+    }
+
     // Create token provider
     const tokenProvider = isXsuaa
-      ? new XsuaaTokenProvider()
-      : new BtpTokenProvider();
+      ? new ClientCredentialsProvider({
+          uaaUrl: authConfig.uaaUrl,
+          clientId: authConfig.uaaClientId,
+          clientSecret: authConfig.uaaClientSecret,
+        })
+      : new AuthorizationCodeProvider({
+          uaaUrl: authConfig.uaaUrl,
+          clientId: authConfig.uaaClientId,
+          clientSecret: authConfig.uaaClientSecret,
+          browser: 'system',
+        });
 
     // Create AuthBroker
     // For ABAP, use 'system' browser (will open browser for auth)
@@ -124,4 +146,3 @@ main().catch((error) => {
   console.error('Fatal error:', error);
   process.exit(1);
 });
-

package/bin/mcp-auth.ts

@@ -32,12 +32,6 @@ import {
   AuthorizationCodeProvider,
   ClientCredentialsProvider,
 } from '@mcp-abap-adt/auth-providers';
-import type {
-  IAuthorizationConfig,
-  ITokenProvider,
-  ITokenProviderOptions,
-  ITokenProviderResult,
-} from '@mcp-abap-adt/interfaces';
 import {
   ABAP_CONNECTION_VARS,
   ABAP_AUTHORIZATION_VARS,
@@ -241,86 +235,6 @@ function parseArgs(): McpAuthOptions | null {
   };
 }
 
-type ProviderMode = 'authorization_code' | 'client_credentials';
-
-class BrokerTokenProvider implements ITokenProvider {
-  private mode: ProviderMode;
-  private browser?: string;
-  private redirectPort?: number;
-
-  constructor(mode: ProviderMode, browser?: string, redirectPort?: number) {
-    this.mode = mode;
-    this.browser = browser;
-    this.redirectPort = redirectPort;
-  }
-
-  async getConnectionConfig(
-    authConfig: IAuthorizationConfig,
-    options?: ITokenProviderOptions,
-  ): Promise<ITokenProviderResult> {
-    return this.getTokenResult(authConfig, options);
-  }
-
-  async refreshTokenFromSession(
-    authConfig: IAuthorizationConfig,
-    options?: ITokenProviderOptions,
-  ): Promise<ITokenProviderResult> {
-    return this.getTokenResult(authConfig, options);
-  }
-
-  async refreshTokenFromServiceKey(
-    authConfig: IAuthorizationConfig,
-    options?: ITokenProviderOptions,
-  ): Promise<ITokenProviderResult> {
-    return this.getTokenResult(authConfig, options);
-  }
-
-  private async getTokenResult(
-    authConfig: IAuthorizationConfig,
-    options?: ITokenProviderOptions,
-  ): Promise<ITokenProviderResult> {
-    const uaaUrl = authConfig.uaaUrl;
-    const uaaClientId = authConfig.uaaClientId;
-    const uaaClientSecret = authConfig.uaaClientSecret;
-
-    if (!uaaUrl || !uaaClientId || !uaaClientSecret) {
-      throw new Error('Auth config missing required UAA credentials');
-    }
-
-    if (this.mode === 'client_credentials') {
-      const provider = new ClientCredentialsProvider({
-        uaaUrl,
-        clientId: uaaClientId,
-        clientSecret: uaaClientSecret,
-      });
-      const result = await provider.getTokens();
-      return {
-        connectionConfig: {
-          authorizationToken: result.authorizationToken,
-        },
-        refreshToken: result.refreshToken,
-      };
-    }
-
-    const browserValue = options?.browser ?? this.browser ?? 'system';
-    const provider = new AuthorizationCodeProvider({
-      uaaUrl,
-      clientId: uaaClientId,
-      clientSecret: uaaClientSecret,
-      refreshToken: authConfig.refreshToken,
-      browser: browserValue,
-      redirectPort: this.redirectPort,
-    });
-    const result = await provider.getTokens();
-    return {
-      connectionConfig: {
-        authorizationToken: result.authorizationToken,
-      },
-      refreshToken: result.refreshToken,
-    };
-  }
-}
-
 function writeEnvFile(
   outputPath: string,
   authType: 'abap' | 'xsuaa',
@@ -531,15 +445,32 @@ async function main() {
         ? new XsuaaSessionStore(tempSessionDir, brokerServiceUrl)
         : new AbapSessionStore(tempSessionDir);
 
+    const sessionAuthConfig =
+      await sessionStore.getAuthorizationConfig(destination);
+    const serviceKeyAuthConfig =
+      serviceKeyStore?.getAuthorizationConfig
+        ? await serviceKeyStore.getAuthorizationConfig(destination)
+        : null;
+    const authConfig = sessionAuthConfig || serviceKeyAuthConfig;
+    if (!authConfig) {
+      throw new Error(`Authorization config not found for ${destination}`);
+    }
+
     const useBrowserAuth = options.browser !== undefined;
-    const providerMode: ProviderMode = useBrowserAuth
-      ? 'authorization_code'
-      : 'client_credentials';
-    const tokenProvider = new BrokerTokenProvider(
-      providerMode,
-      options.browser,
-      options.redirectPort,
-    );
+    const tokenProvider = useBrowserAuth
+      ? new AuthorizationCodeProvider({
+          uaaUrl: authConfig.uaaUrl,
+          clientId: authConfig.uaaClientId,
+          clientSecret: authConfig.uaaClientSecret,
+          refreshToken: authConfig.refreshToken,
+          browser: options.browser,
+          redirectPort: options.redirectPort,
+        })
+      : new ClientCredentialsProvider({
+          uaaUrl: authConfig.uaaUrl,
+          clientId: authConfig.uaaClientId,
+          clientSecret: authConfig.uaaClientSecret,
+        });
 
     const broker = new AuthBroker(
       {

package/dist/AuthBroker.d.ts

@@ -55,27 +55,17 @@ export declare class AuthBroker {
     /**
      * Get UAA credentials from session or service key
      */
-    private getUaaCredentials;
+    private getAuthorizationConfigFromServiceKey;
     /**
      * Save token and config to session
      */
     private saveTokenToSession;
-    /**
-     * Initialize session from service key (Step 0)
-     */
-    private initializeSessionFromServiceKey;
+    private requestTokens;
+    private persistTokenResult;
     /**
      * Validate existing token (Step 1)
      */
     private validateExistingToken;
-    /**
-     * Refresh token from session (Step 2a)
-     */
-    private refreshTokenFromSession;
-    /**
-     * Refresh token from service key (Step 2b)
-     */
-    private refreshTokenFromServiceKey;
     /**
      * Get authentication token for destination.
      * Uses tokenProvider for all authentication operations (browser-based authorization).

package/dist/AuthBroker.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AuthBroker.d.ts","sourceRoot":"","sources":["../src/AuthBroker.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,KAAK,OAAO,EACZ,KAAK,eAAe,EAErB,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,KAAK,EACV,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,aAAa,EACd,MAAM,qBAAqB,CAAC;AA4C7B;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,mEAAmE;IACnE,YAAY,EAAE,aAAa,CAAC;IAC5B,uEAAuE;IACvE,eAAe,CAAC,EAAE,gBAAgB,CAAC;IACnC,4IAA4I;IAC5I,aAAa,EAAE,cAAc,CAAC;IAC9B;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED;;GAEG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,OAAO,CAAqB;IACpC,OAAO,CAAC,MAAM,CAAU;IACxB,OAAO,CAAC,eAAe,CAA+B;IACtD,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,aAAa,CAAiB;IACtC,OAAO,CAAC,gBAAgB,CAAU;IAElC;;;;;;;;;;;OAWG;gBACS,MAAM,EAAE,gBAAgB,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO;IAoFxE;;OAEG;YACW,eAAe;IA0D7B;;OAEG;YACW,aAAa;IAoD3B;;OAEG;YACW,iBAAiB;IA2D/B;;OAEG;YACW,kBAAkB;IAkChC;;OAEG;YACW,+BAA+B;IA4G7C;;OAEG;YACW,qBAAqB;IA8BnC;;OAEG;YACW,uBAAuB;IAyFrC;;OAEG;YACW,0BAA0B;IAgHxC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAuCG;IACG,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IA8GpD;;;;;OAKG;IACG,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IASxD;;;;OAIG;IACG,sBAAsB,CAC1B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IAoEvC;;;;OAIG;IACG,mBAAmB,CACvB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;IA8DpC;;;;;;;;;;;;;;;;OAgBG;IACH,oBAAoB,CAAC,WAAW,EAAE,MAAM,GAAG,eAAe;CAqB3D"}
+{"version":3,"file":"AuthBroker.d.ts","sourceRoot":"","sources":["../src/AuthBroker.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,KAAK,OAAO,EACZ,KAAK,eAAe,EAGrB,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,KAAK,EACV,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,aAAa,EACd,MAAM,qBAAqB,CAAC;AA4C7B;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,mEAAmE;IACnE,YAAY,EAAE,aAAa,CAAC;IAC5B,uEAAuE;IACvE,eAAe,CAAC,EAAE,gBAAgB,CAAC;IACnC,4IAA4I;IAC5I,aAAa,EAAE,cAAc,CAAC;IAC9B;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED;;GAEG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,OAAO,CAAqB;IACpC,OAAO,CAAC,MAAM,CAAU;IACxB,OAAO,CAAC,eAAe,CAA+B;IACtD,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,aAAa,CAAiB;IACtC,OAAO,CAAC,gBAAgB,CAAU;IAElC;;;;;;;;;;;OAWG;gBACS,MAAM,EAAE,gBAAgB,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO;IAkFxE;;OAEG;YACW,eAAe;IA0D7B;;OAEG;YACW,aAAa;IAoD3B;;OAEG;YACW,oCAAoC;IA4ClD;;OAEG;YACW,kBAAkB;YAkClB,aAAa;YA8Cb,kBAAkB;IAiChC;;OAEG;YACW,qBAAqB;IA8BnC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAuCG;IACG,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAqIpD;;;;;OAKG;IACG,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IASxD;;;;OAIG;IACG,sBAAsB,CAC1B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IAoEvC;;;;OAIG;IACG,mBAAmB,CACvB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;IA8DpC;;;;;;;;;;;;;;;;OAgBG;IACH,oBAAoB,CAAC,WAAW,EAAE,MAAM,GAAG,eAAe;CAqB3D"}

package/dist/AuthBroker.js

@@ -84,8 +84,8 @@ class AuthBroker {
             throw new Error('AuthBroker: sessionStore.setConnectionConfig must be a function');
         }
         // Check tokenProvider methods (required)
-        if (typeof tokenProvider.getConnectionConfig !== 'function') {
-            throw new Error('AuthBroker: tokenProvider.getConnectionConfig must be a function');
+        if (typeof tokenProvider.getTokens !== 'function') {
+            throw new Error('AuthBroker: tokenProvider.getTokens must be a function');
         }
         // validateToken is optional, so we don't check it
         // Check serviceKeyStore methods (if provided)
@@ -196,14 +196,9 @@ class AuthBroker {
     /**
      * Get UAA credentials from session or service key
      */
-    async getUaaCredentials(destination, authConfig) {
-        if (authConfig?.uaaUrl &&
-            authConfig?.uaaClientId &&
-            authConfig?.uaaClientSecret) {
-            return authConfig;
-        }
+    async getAuthorizationConfigFromServiceKey(destination) {
         if (!this.serviceKeyStore) {
-            throw new Error(`UAA credentials not found for ${destination}. Session has no UAA credentials and serviceKeyStore is not available.`);
+            throw new Error(`Authorization config not found for ${destination}. Session has no auth config and serviceKeyStore is not available.`);
         }
         let serviceKeyAuthConfig = null;
         try {
@@ -219,21 +214,17 @@ class AuthBroker {
                     this.logger?.warn(`Failed to parse service key for ${destination}: ${error.filePath || 'unknown path'} - ${getErrorMessage(error)}`);
                 }
                 else {
-                    this.logger?.warn(`Failed to get UAA credentials from service key store for ${destination}: ${getErrorMessage(error)}`);
+                    this.logger?.warn(`Failed to get authorization config from service key store for ${destination}: ${getErrorMessage(error)}`);
                 }
             }
             else {
-                this.logger?.warn(`Failed to get UAA credentials from service key store for ${destination}: ${getErrorMessage(error)}`);
+                this.logger?.warn(`Failed to get authorization config from service key store for ${destination}: ${getErrorMessage(error)}`);
             }
         }
-        const uaaCredentials = authConfig || serviceKeyAuthConfig;
-        if (!uaaCredentials ||
-            !uaaCredentials.uaaUrl ||
-            !uaaCredentials.uaaClientId ||
-            !uaaCredentials.uaaClientSecret) {
-            throw new Error(`UAA credentials not found for ${destination}. Session has no UAA credentials${this.serviceKeyStore ? ' and serviceKeyStore has no UAA credentials' : ' and serviceKeyStore is not available'}.`);
+        if (!serviceKeyAuthConfig) {
+            throw new Error(`Authorization config not found for ${destination}. Session has no auth config${this.serviceKeyStore ? ' and serviceKeyStore has no auth config' : ' and serviceKeyStore is not available'}.`);
         }
-        return uaaCredentials;
+        return serviceKeyAuthConfig;
     }
     /**
      * Save token and config to session
@@ -254,74 +245,51 @@ class AuthBroker {
             throw new Error(`Failed to save authorization config for destination "${destination}": ${getErrorMessage(error)}`);
         }
     }
-    /**
-     * Initialize session from service key (Step 0)
-     */
-    async initializeSessionFromServiceKey(destination, serviceUrl) {
-        if (!this.serviceKeyStore) {
-            throw new Error(`Cannot initialize session for destination "${destination}": authorizationToken is empty, UAA credentials are empty, and serviceKeyStore is not available. Provide serviceKeyStore to initialize from service key.`);
-        }
-        const serviceKeyAuthConfig = await this.serviceKeyStore.getAuthorizationConfig(destination);
-        if (!serviceKeyAuthConfig ||
-            !serviceKeyAuthConfig.uaaUrl ||
-            !serviceKeyAuthConfig.uaaClientId ||
-            !serviceKeyAuthConfig.uaaClientSecret) {
-            throw new Error(`Service key for destination "${destination}" does not contain UAA credentials`);
-        }
-        if (!this.allowBrowserAuth) {
-            const error = new Error(`Browser authentication required for destination "${destination}" but allowBrowserAuth is disabled. Either enable browser auth or provide a valid session with token.`);
-            error.code = 'BROWSER_AUTH_REQUIRED';
-            error.destination = destination;
-            this.logger?.error(`Step 0: Browser auth required but disabled for ${destination}`);
-            throw error;
-        }
-        this.logger?.debug(`Step 0: Authenticating via provider (browser) for ${destination} using service key UAA credentials`);
-        const getConnectionConfig = this.tokenProvider.getConnectionConfig;
-        if (!getConnectionConfig) {
-            throw new Error('AuthBroker: tokenProvider.getConnectionConfig is required');
-        }
-        let tokenResult;
+    async requestTokens(destination, sourceLabel) {
+        this.logger?.debug(`Requesting tokens for ${destination} via ${sourceLabel}`);
         try {
-            tokenResult = await getConnectionConfig(serviceKeyAuthConfig, {
-                browser: this.browser,
-                logger: this.logger,
-            });
+            const getTokens = this.tokenProvider.getTokens;
+            if (!getTokens) {
+                throw new Error('AuthBroker: tokenProvider.getTokens is required');
+            }
+            return await getTokens.call(this.tokenProvider);
         }
         catch (error) {
             if (hasErrorCode(error)) {
                 if (error.code === 'VALIDATION_ERROR') {
-                    throw new Error(`Cannot initialize session for destination "${destination}": provider validation failed - missing ${error.missingFields?.join(', ') || 'required fields'}`);
+                    throw new Error(`Token provider validation failed for ${destination}: missing ${error.missingFields?.join(', ') || 'required fields'}`);
                 }
-                else if (error.code === 'BROWSER_AUTH_ERROR') {
-                    throw new Error(`Cannot initialize session for destination "${destination}": browser authentication failed - ${getErrorMessage(error)}`);
+                if (error.code === 'BROWSER_AUTH_ERROR') {
+                    throw new Error(`Token provider browser authentication failed for ${destination}: ${getErrorMessage(error)}`);
                 }
-                else if (error.code === 'ECONNREFUSED' ||
+                if (error.code === 'ECONNREFUSED' ||
                     error.code === 'ETIMEDOUT' ||
                     error.code === 'ENOTFOUND') {
-                    throw new Error(`Cannot initialize session for destination "${destination}": network error - cannot reach authentication server (${error.code})`);
+                    throw new Error(`Token provider network error for ${destination}: ${error.code}`);
+                }
+                if (error.code === 'SERVICE_KEY_ERROR') {
+                    throw new Error(`Token provider service key error for ${destination}: ${getErrorMessage(error)}`);
                 }
             }
-            throw new Error(`Cannot initialize session for destination "${destination}": provider error - ${getErrorMessage(error)}`);
+            throw new Error(`Token provider error for ${destination}: ${getErrorMessage(error)}`);
         }
-        const token = tokenResult.connectionConfig.authorizationToken;
+    }
+    async persistTokenResult(destination, serviceUrl, baseConnConfig, authConfig, tokenResult) {
+        const token = tokenResult.authorizationToken;
         if (!token) {
             throw new Error(`Token provider did not return authorization token for destination "${destination}"`);
         }
-        const tokenLength = token.length;
-        this.logger?.info(`Step 0: Token initialized for ${destination}: token(${tokenLength} chars), hasRefreshToken(${!!tokenResult.refreshToken})`);
-        // Get serviceUrl from service key store if not in connectionConfig
-        const serviceKeyConnConfig = await this.serviceKeyStore.getConnectionConfig(destination);
         const connectionConfigWithServiceUrl = {
-            ...tokenResult.connectionConfig,
-            serviceUrl: tokenResult.connectionConfig.serviceUrl ||
-                serviceKeyConnConfig?.serviceUrl ||
-                serviceUrl,
+            ...baseConnConfig,
+            serviceUrl,
+            authorizationToken: token,
+            authType: 'jwt',
         };
-        await this.saveTokenToSession(destination, connectionConfigWithServiceUrl, {
-            ...serviceKeyAuthConfig,
-            refreshToken: tokenResult.refreshToken || serviceKeyAuthConfig.refreshToken,
-        });
-        return token;
+        const authorizationConfig = {
+            ...authConfig,
+            refreshToken: tokenResult.refreshToken ?? authConfig.refreshToken,
+        };
+        await this.saveTokenToSession(destination, connectionConfigWithServiceUrl, authorizationConfig);
     }
     /**
      * Validate existing token (Step 1)
@@ -345,138 +313,6 @@ class AuthBroker {
             return false;
         }
     }
-    /**
-     * Refresh token from session (Step 2a)
-     */
-    async refreshTokenFromSession(destination, uaaCredentials, refreshToken, serviceUrl) {
-        this.logger?.debug(`Step 2a: Trying refreshTokenFromSession for ${destination}`);
-        const authConfigWithRefresh = { ...uaaCredentials, refreshToken };
-        const refreshTokenFromSession = this.tokenProvider.refreshTokenFromSession;
-        if (!refreshTokenFromSession) {
-            throw new Error('AuthBroker: tokenProvider.refreshTokenFromSession is required');
-        }
-        let tokenResult;
-        try {
-            tokenResult = await refreshTokenFromSession(authConfigWithRefresh, {
-                browser: this.browser,
-                logger: this.logger,
-            });
-        }
-        catch (error) {
-            if (hasErrorCode(error)) {
-                if (error.code === 'ECONNREFUSED' ||
-                    error.code === 'ETIMEDOUT' ||
-                    error.code === 'ENOTFOUND') {
-                    this.logger?.debug(`Step 2a: Network error during refreshTokenFromSession for ${destination}: ${error.code}. Trying refreshTokenFromServiceKey`);
-                    throw error; // Re-throw to trigger fallback to Step 2b
-                }
-            }
-            throw error; // Re-throw other errors
-        }
-        const token = tokenResult.connectionConfig.authorizationToken;
-        if (!token) {
-            throw new Error(`Token provider did not return authorization token for destination "${destination}"`);
-        }
-        const tokenLength = token.length;
-        this.logger?.info(`Step 2a: Token refreshed from session for ${destination}: token(${tokenLength} chars), hasRefreshToken(${!!tokenResult.refreshToken})`);
-        // Get serviceUrl from session or service key
-        let serviceKeyServiceUrl;
-        if (this.serviceKeyStore) {
-            try {
-                const serviceKeyConn = await this.serviceKeyStore.getConnectionConfig(destination);
-                serviceKeyServiceUrl = serviceKeyConn?.serviceUrl;
-            }
-            catch (error) {
-                this.logger?.debug(`Could not get serviceUrl from service key store: ${getErrorMessage(error)}`);
-            }
-        }
-        const finalServiceUrl = tokenResult.connectionConfig.serviceUrl ||
-            serviceUrl ||
-            serviceKeyServiceUrl;
-        const connectionConfigWithServiceUrl = {
-            ...tokenResult.connectionConfig,
-            serviceUrl: finalServiceUrl,
-        };
-        const authorizationConfig = {
-            ...uaaCredentials,
-            refreshToken: tokenResult.refreshToken || refreshToken,
-        };
-        await this.saveTokenToSession(destination, connectionConfigWithServiceUrl, authorizationConfig);
-        return token;
-    }
-    /**
-     * Refresh token from service key (Step 2b)
-     */
-    async refreshTokenFromServiceKey(destination, uaaCredentials, serviceUrl) {
-        if (!this.allowBrowserAuth) {
-            const error = new Error(`Browser authentication required for destination "${destination}" but allowBrowserAuth is disabled. Token refresh via session failed and browser auth is not allowed. Either enable browser auth or ensure a valid refresh token exists in session.`);
-            error.code = 'BROWSER_AUTH_REQUIRED';
-            error.destination = destination;
-            this.logger?.error(`Step 2b: Browser auth required but disabled for ${destination}`);
-            throw error;
-        }
-        this.logger?.debug(`Step 2b: Trying refreshTokenFromServiceKey for ${destination}`);
-        const refreshTokenFromServiceKey = this.tokenProvider.refreshTokenFromServiceKey;
-        if (!refreshTokenFromServiceKey) {
-            throw new Error('AuthBroker: tokenProvider.refreshTokenFromServiceKey is required');
-        }
-        let tokenResult;
-        try {
-            tokenResult = await refreshTokenFromServiceKey(uaaCredentials, {
-                browser: this.browser,
-                logger: this.logger,
-            });
-        }
-        catch (error) {
-            if (hasErrorCode(error)) {
-                if (error.code === 'VALIDATION_ERROR') {
-                    throw new Error(`Token refresh failed: Missing required fields in authConfig - ${error.missingFields?.join(', ')}`);
-                }
-                else if (error.code === 'BROWSER_AUTH_ERROR') {
-                    throw new Error(`Token refresh failed: Browser authentication failed or was cancelled - ${getErrorMessage(error)}`);
-                }
-                else if (error.code === 'ECONNREFUSED' ||
-                    error.code === 'ETIMEDOUT' ||
-                    error.code === 'ENOTFOUND') {
-                    throw new Error(`Token refresh failed: Network error - ${error.code}: Cannot reach authentication server`);
-                }
-                else if (error.code === 'SERVICE_KEY_ERROR') {
-                    throw new Error(`Token refresh failed: Service key not found or invalid for ${destination}`);
-                }
-            }
-            throw new Error(`Token refresh failed for ${destination}: ${getErrorMessage(error)}`);
-        }
-        const token = tokenResult.connectionConfig.authorizationToken;
-        if (!token) {
-            throw new Error(`Token provider did not return authorization token for destination "${destination}"`);
-        }
-        const tokenLength = token.length;
-        this.logger?.info(`Step 2b: Token refreshed from service key for ${destination}: token(${tokenLength} chars), hasRefreshToken(${!!tokenResult.refreshToken})`);
-        // Get serviceUrl from session or service key
-        let serviceKeyServiceUrl;
-        if (this.serviceKeyStore) {
-            try {
-                const serviceKeyConn = await this.serviceKeyStore.getConnectionConfig(destination);
-                serviceKeyServiceUrl = serviceKeyConn?.serviceUrl;
-            }
-            catch (error) {
-                this.logger?.debug(`Could not get serviceUrl from service key store: ${getErrorMessage(error)}`);
-            }
-        }
-        const finalServiceUrl = tokenResult.connectionConfig.serviceUrl ||
-            serviceUrl ||
-            serviceKeyServiceUrl;
-        const connectionConfigWithServiceUrl = {
-            ...tokenResult.connectionConfig,
-            serviceUrl: finalServiceUrl,
-        };
-        const authorizationConfig = {
-            ...uaaCredentials,
-            refreshToken: tokenResult.refreshToken || uaaCredentials.refreshToken,
-        };
-        await this.saveTokenToSession(destination, connectionConfigWithServiceUrl, authorizationConfig);
-        return token;
-    }
     /**
      * Get authentication token for destination.
      * Uses tokenProvider for all authentication operations (browser-based authorization).
@@ -525,34 +361,21 @@ class AuthBroker {
         const serviceUrl = await this.getServiceUrl(destination, connConfig);
         // Check if we have token or UAA credentials
         const hasToken = !!connConfig?.authorizationToken;
-        const hasUaaCredentials = !!(authConfig?.uaaUrl &&
-            authConfig?.uaaClientId &&
-            authConfig?.uaaClientSecret);
-        this.logger?.debug(`Session check for ${destination}: hasToken(${hasToken}), hasUaaCredentials(${hasUaaCredentials}), serviceUrl(${serviceUrl ? 'yes' : 'no'})`);
+        const hasAuthConfig = !!authConfig;
+        this.logger?.debug(`Session check for ${destination}: hasToken(${hasToken}), hasAuthConfig(${hasAuthConfig}), serviceUrl(${serviceUrl ? 'yes' : 'no'})`);
         // Step 0: Initialize Session with Token (if needed)
-        if (!hasToken && !hasUaaCredentials) {
-            try {
-                return await this.initializeSessionFromServiceKey(destination, serviceUrl);
-            }
-            catch (error) {
-                // Re-throw BROWSER_AUTH_REQUIRED error without wrapping
-                if (hasErrorCode(error) && error.code === 'BROWSER_AUTH_REQUIRED') {
-                    throw error;
-                }
-                // Handle typed store errors
-                if (hasErrorCode(error)) {
-                    if (error.code === interfaces_1.STORE_ERROR_CODES.FILE_NOT_FOUND) {
-                        throw new Error(`Cannot initialize session for destination "${destination}": service key file not found`);
-                    }
-                    else if (error.code === interfaces_1.STORE_ERROR_CODES.PARSE_ERROR) {
-                        throw new Error(`Cannot initialize session for destination "${destination}": service key parsing failed - ${getErrorMessage(error)}`);
-                    }
-                    else if (error.code === interfaces_1.STORE_ERROR_CODES.INVALID_CONFIG) {
-                        throw new Error(`Cannot initialize session for destination "${destination}": invalid service key - missing ${error.missingFields?.join(', ') || 'required fields'}`);
-                    }
-                }
+        if (!hasToken && !hasAuthConfig) {
+            if (!this.allowBrowserAuth) {
+                const error = new Error(`Browser authentication required for destination "${destination}" but allowBrowserAuth is disabled. Either enable browser auth or provide a valid session with token.`);
+                error.code = 'BROWSER_AUTH_REQUIRED';
+                error.destination = destination;
+                this.logger?.error(`Step 0: Browser auth required but disabled for ${destination}`);
                 throw error;
             }
+            const serviceKeyAuthConfig = await this.getAuthorizationConfigFromServiceKey(destination);
+            const tokenResult = await this.requestTokens(destination, 'serviceKey');
+            await this.persistTokenResult(destination, serviceUrl, connConfig, serviceKeyAuthConfig, tokenResult);
+            return tokenResult.authorizationToken;
         }
         // Step 1: Validate existing token
         if (hasToken && connConfig?.authorizationToken) {
@@ -566,25 +389,44 @@ class AuthBroker {
                 return connConfig.authorizationToken;
             }
         }
-        // Step 2: Refresh Token Flow
-        this.logger?.debug(`Step 2: Attempting token refresh for ${destination}`);
-        const uaaCredentials = await this.getUaaCredentials(destination, authConfig);
-        // Step 2a: Try refresh from session (if refresh token exists)
-        const refreshToken = authConfig?.refreshToken;
-        if (refreshToken) {
+        // Step 2: Request tokens via provider, preferring session auth config
+        this.logger?.debug(`Step 2: Requesting tokens for ${destination}`);
+        let lastError = null;
+        if (authConfig) {
+            if (!this.allowBrowserAuth && !authConfig.refreshToken) {
+                const error = new Error(`Browser authentication required for destination "${destination}" but allowBrowserAuth is disabled. Session has no refresh token.`);
+                error.code = 'BROWSER_AUTH_REQUIRED';
+                error.destination = destination;
+                this.logger?.error(`Step 2: Browser auth required but disabled for ${destination}`);
+                throw error;
+            }
             try {
-                return await this.refreshTokenFromSession(destination, uaaCredentials, refreshToken, serviceUrl);
+                const tokenResult = await this.requestTokens(destination, 'session');
+                await this.persistTokenResult(destination, serviceUrl, connConfig, authConfig, tokenResult);
+                return tokenResult.authorizationToken;
             }
             catch (error) {
-                this.logger?.debug(`Step 2a: refreshTokenFromSession failed for ${destination}: ${getErrorMessage(error)}, trying refreshTokenFromServiceKey`);
-                // Continue to try service key refresh
+                lastError = error instanceof Error ? error : new Error(String(error));
+                this.logger?.debug(`Step 2: Token request via session failed for ${destination}: ${getErrorMessage(error)}, trying service key`);
             }
         }
-        else {
-            this.logger?.debug(`Step 2a: No refresh token in session for ${destination}, skipping to service key refresh`);
+        if (!this.allowBrowserAuth) {
+            const error = new Error(`Browser authentication required for destination "${destination}" but allowBrowserAuth is disabled. Token refresh via session failed and browser auth is not allowed. Either enable browser auth or ensure a valid refresh token exists in session.`);
+            error.code = 'BROWSER_AUTH_REQUIRED';
+            error.destination = destination;
+            this.logger?.error(`Step 2: Browser auth required but disabled for ${destination}`);
+            throw error;
+        }
+        if (!this.serviceKeyStore) {
+            if (lastError) {
+                throw lastError;
+            }
+            throw new Error(`Authorization config not found for ${destination}. Session has no auth config and serviceKeyStore is not available.`);
         }
-        // Step 2b: Try refresh from service key (browser authentication)
-        return await this.refreshTokenFromServiceKey(destination, uaaCredentials, serviceUrl);
+        const serviceKeyAuthConfig = await this.getAuthorizationConfigFromServiceKey(destination);
+        const tokenResult = await this.requestTokens(destination, 'serviceKey');
+        await this.persistTokenResult(destination, serviceUrl, connConfig, serviceKeyAuthConfig, tokenResult);
+        return tokenResult.authorizationToken;
     }
     /**
      * Force refresh token for destination.

package/dist/index.d.ts

@@ -4,7 +4,7 @@
  */
 export type { AuthType, ILogger, ITokenRefresher, } from '@mcp-abap-adt/interfaces';
 export { AuthBroker, type AuthBrokerConfig } from './AuthBroker';
-export type { ITokenProvider, TokenProviderOptions, TokenProviderResult, } from './providers';
+export type { ITokenProvider, ITokenResult, TokenProviderOptions, } from './providers';
 export type { IAuthorizationConfig, IConnectionConfig, IServiceKeyStore, ISessionStore, } from './stores/interfaces';
 export type { IConfig } from './types';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,YAAY,EACV,QAAQ,EACR,OAAO,EACP,eAAe,GAChB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,UAAU,EAAE,KAAK,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEjE,YAAY,EACV,cAAc,EACd,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,aAAa,CAAC;AAGrB,YAAY,EACV,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,aAAa,GACd,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,YAAY,EACV,QAAQ,EACR,OAAO,EACP,eAAe,GAChB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,UAAU,EAAE,KAAK,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEjE,YAAY,EACV,cAAc,EACd,YAAY,EACZ,oBAAoB,GACrB,MAAM,aAAa,CAAC;AAGrB,YAAY,EACV,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,aAAa,GACd,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC"}

package/dist/providers/ITokenProvider.d.ts

@@ -1,13 +1,9 @@
 /**
  * Token Provider interface
  *
- * Converts IAuthorizationConfig to IConnectionConfig by obtaining tokens.
- * Different implementations handle different authentication flows:
- * - XSUAA: client_credentials grant type (no browser)
- * - BTP/ABAP: browser-based OAuth2 or refresh token
+ * Stateful providers handle token lifecycle internally (refresh/relogin).
  */
-import type { IAuthorizationConfig, IConnectionConfig, ITokenProvider, ITokenProviderOptions, ITokenProviderResult } from '@mcp-abap-adt/interfaces';
-export type { ITokenProvider, IAuthorizationConfig, IConnectionConfig };
-export type TokenProviderResult = ITokenProviderResult;
+import type { IAuthorizationConfig, IConnectionConfig, ITokenProvider, ITokenProviderOptions, ITokenResult } from '@mcp-abap-adt/interfaces';
+export type { ITokenProvider, IAuthorizationConfig, IConnectionConfig, ITokenResult, };
 export type TokenProviderOptions = ITokenProviderOptions;
 //# sourceMappingURL=ITokenProvider.d.ts.map

package/dist/providers/ITokenProvider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ITokenProvider.d.ts","sourceRoot":"","sources":["../../src/providers/ITokenProvider.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EACV,oBAAoB,EACpB,iBAAiB,EACjB,cAAc,EACd,qBAAqB,EACrB,oBAAoB,EACrB,MAAM,0BAA0B,CAAC;AAGlC,YAAY,EAAE,cAAc,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,CAAC;AACxE,MAAM,MAAM,mBAAmB,GAAG,oBAAoB,CAAC;AACvD,MAAM,MAAM,oBAAoB,GAAG,qBAAqB,CAAC"}
+{"version":3,"file":"ITokenProvider.d.ts","sourceRoot":"","sources":["../../src/providers/ITokenProvider.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EACV,oBAAoB,EACpB,iBAAiB,EACjB,cAAc,EACd,qBAAqB,EACrB,YAAY,EACb,MAAM,0BAA0B,CAAC;AAGlC,YAAY,EACV,cAAc,EACd,oBAAoB,EACpB,iBAAiB,EACjB,YAAY,GACb,CAAC;AACF,MAAM,MAAM,oBAAoB,GAAG,qBAAqB,CAAC"}

package/dist/providers/ITokenProvider.js

@@ -2,9 +2,6 @@
 /**
  * Token Provider interface
  *
- * Converts IAuthorizationConfig to IConnectionConfig by obtaining tokens.
- * Different implementations handle different authentication flows:
- * - XSUAA: client_credentials grant type (no browser)
- * - BTP/ABAP: browser-based OAuth2 or refresh token
+ * Stateful providers handle token lifecycle internally (refresh/relogin).
  */
 Object.defineProperty(exports, "__esModule", { value: true });

package/dist/providers/index.d.ts

@@ -4,5 +4,5 @@
  * Provider implementations are in separate packages:
  * - @mcp-abap-adt/auth-providers - XSUAA and BTP providers
  */
-export type { ITokenProvider, TokenProviderOptions, TokenProviderResult, } from './ITokenProvider';
+export type { ITokenProvider, ITokenResult, TokenProviderOptions, } from './ITokenProvider';
 //# sourceMappingURL=index.d.ts.map

package/dist/providers/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/providers/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,YAAY,EACV,cAAc,EACd,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,kBAAkB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/providers/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,YAAY,EACV,cAAc,EACd,YAAY,EACZ,oBAAoB,GACrB,MAAM,kBAAkB,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mcp-abap-adt/auth-broker",
-  "version": "0.2.11",
+  "version": "0.2.12",
   "description": "JWT authentication broker for MCP ABAP ADT - manages tokens based on destination headers",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",