From 0c207d255badc2f9779c91b2b081df3beaccde6e Mon Sep 17 00:00:00 2001
From: OpenClaw AI <ai@example.com>
Date: Wed, 11 Mar 2026 23:22:59 +0800
Subject: [PATCH] fix(oauth): preserve existing refresh_token when server omits
 it

Per RFC 6749 Section 6, the authorization server MAY issue a new
refresh token in the refresh response. If the server does not issue
a new refresh token, the client must preserve the existing one.

This fix preserves the existing refresh_token when the OAuth server's
refresh response omits it, which is common for providers like Google,
Auth0, and Okta.

Fixes #2270
---
 src/mcp/client/auth/oauth2.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/mcp/client/auth/oauth2.py b/src/mcp/client/auth/oauth2.py
index 25075dec3..952d2c108 100644
--- a/src/mcp/client/auth/oauth2.py
+++ b/src/mcp/client/auth/oauth2.py
@@ -458,6 +458,17 @@ async def _handle_refresh_response(self, response: httpx.Response) -> bool:  # p
             content = await response.aread()
             token_response = OAuthToken.model_validate_json(content)
 
+            # Per RFC 6749 Section 6, the server MAY issue a new refresh token.
+            # If the response omits it, preserve the existing one.
+            if (
+                not token_response.refresh_token
+                and self.context.current_tokens
+                and self.context.current_tokens.refresh_token
+            ):
+                token_response = token_response.model_copy(
+                    update={"refresh_token": self.context.current_tokens.refresh_token}
+                )
+
             self.context.current_tokens = token_response
             self.context.update_token_expiry(token_response)
             await self.context.storage.set_tokens(token_response)