fix(auth): release lock around yield in async_auth_flow to prevent RuntimeError

[WachsenHaus]

Bug Summary

Error: RuntimeError: The current task is not holding this lock

Location: src/mcp/client/auth/oauth2.py - OAuthClientProvider.async_auth_flow()

Impact: OAuth authentication fails when the browser opens for authorization

Root Cause

The async_auth_flow() method wraps all yield statements inside a single async with self.context.lock: block. When the async generator suspends at yield, the event loop may switch tasks, and anyio.Lock (which tracks task ownership) raises RuntimeError when the generator resumes or is garbage-collected in a different task context.

Solution

Release the lock before each yield and re-acquire it after the generator resumes:

1. Acquire lock for state preparation
2. Release lock before yield (generator suspension point)
3. Re-acquire lock after yield resumes
4. Handle response with lock held

All existing functionality is preserved:

• Protected Resource Metadata discovery (SEP-985)
• OAuth Authorization Server Metadata discovery with fallback
• Scope selection strategy
• CIMD (Client Information Metadata Document) support
• Dynamic Client Registration fallback
• 403 step-up authorization
• Token refresh flow

Test Results

All existing tests pass (166 passed, 0 failed):

``````
$ pytest tests/client/ -x -q
166 passed, 3 skipped, 1 xfailed
``````

Reproduction

1. Configure an MCP server with OAuth authentication
2. Attempt to authorize (browser opens)
3. Before fix: RuntimeError: The current task is not holding this lock
4. After fix: Successfully authorized