fix(auth): preserve existing refresh_token when server omits it

Jah-yee · Jah-yee · commit 77ddcd5d4a42 · 2026-03-12T01:51:57.000+08:00
Per RFC 6749 Section 6, issuing a new refresh token in the refresh response is optional. When the authorization server does not return a new refresh_token, the previously stored refresh_token is now preserved instead of being discarded. Fixes: #2270
diff --git a/src/mcp/client/auth/oauth2.py b/src/mcp/client/auth/oauth2.py
@@ -458,6 +458,11 @@ async def _handle_refresh_response(self, response: httpx.Response) -> bool:  # p
             content = await response.aread()
             token_response = OAuthToken.model_validate_json(content)
 
+            # Per RFC 6749 Section 6, the server may not return a new refresh_token.
+            # If the server omits it, preserve the existing refresh_token.
+            if not token_response.refresh_token and self.context.current_tokens:
+                token_response.refresh_token = self.context.current_tokens.refresh_token
+
             self.context.current_tokens = token_response
             self.context.update_token_expiry(token_response)
             await self.context.storage.set_tokens(token_response)
